General discussion

Locked

Probale TCP FIN scan in log

By UNP ·
Hi All,
My SonicWall SOHO firewall has recorded a 'Probale TCP FIN scan'. when i typed in the source address in my browser it took me to the Hotmail login page. what does this mean?thanks in advance.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Probale TCP FIN scan in log

by Joseph Moore In reply to Probale TCP FIN scan in l ...

That was probably a spoofed IP source address in the TCP FIN scan.

Ok, there are a lot of flags in the TCP header that can be turned on and off by some of the better port scanners, like NMAP. And the FIN flag is just one of these flags. YOu can also do a TCP SYN scan (the "half-open" scan type that is very popular), TCP XMAS scan (turn all flags on so the packet is lit like a Christmas tree, hence the name!), and the TCP NULL scan (leave all flags off).
And also with the good port scanners (again, like NMAP), you can put in a fake source IP address, called "spoofing."

So, someone spoofed the IP with that of Hotmail.com, and did a TCP FIN scan against your firewall. Can you catch who did this scan attempt now? No, not unless your router was in debug mode at the time (which it probably wasn't, due to the overhead).

So, I wouldn't worry about it very much. Verify the firewall settings (what ports it has open and who --if anyone-- can connect to those open ports), and make sure there isn't anything open that shouldn't be.

But port scan are a daily reality nowadays. They happen all the time all over the place. What I find amazing is how often even dial-up clients are port scanned! For example, NEVER USE NETZERO for dial-up connections UNLESS you have a firewall! That network is scanned constantly!

hope this helps

Collapse -

Probale TCP FIN scan in log

by UNP In reply to Probale TCP FIN scan in l ...

Thanks, Joseph

Back to Security Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums