Not All SYN Packets Are Created Equal

By Daniel Miessler on May 18th, 2006: Tagged as Information Security | Security

During a recent assessment I noticed that I was getting back (or, not getting back, as it were) a filtered response to nmap and hping SYN scans. That’s normal enough for sites that drop incoming scan traffic, but the weird part was that if I used a standard connect scan, i.e. one that completes the three-way-handshake, I would get back a ton of open ports on the same host.

So if I did a “regular” scan, I’d send a SYN, get back a SYN-ACK, and then respond with an ACK. Fair enough, but if I sent just the SYN from nmap or tcpdump, the host would not respond at all. Well, after a couple of minutes of head-scratching, logic revealed the path to the truth:

Link: Not All SYN Packets Are Created Equal

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • David
    Good explanation, very informative.
  • Michael S Black
    quite helpful, actually explains a few things i have been wondering about recently using nmap (and was too lazy to invesitgate)...Thanks Daniel
blog comments powered by Disqus

Twitter Microblog

twitter_icon      facebook_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives