Every morning begins the same way: I come into the office, boot up my laptop, get my coffee and then start on my daily responsibilities.

As I’m sitting at my desk replying to various e-mails and such, Milton decides to talk to himself.

Now when I say that he’s talking to himself, I really mean that he’s talking to everyone in a 10-foot radius, but he’s the only one who understands what he’s talking about.

Here’s a sample of how it goes:

Milton: “There are two girls on the page now…”
Me: “I’m sorry, what?”
Milton: “Who is the new girl on the website?”
Me: “What are you talking about? What girls, what website?”
Milton: “For our blogs…”
Me: “mhrmmmm.” (This is me trying to terminate the conversation)

I’m going to stop there…

That is a common morning conversation scenario with my buddy Milton. If you are confused about this conversation, you are not alone. With Milton starting conversations like we’ve been talking for an hour, he always manages to get a reply out of me, even if it is one of confusion.

I use Milton as an example of how a FIN port scan works.

First think of Milton as a port scan designed for Linux boxes. Milton will first send a conversation to the port using the FIN TCP flag to trick the port into thinking that Milton has been speaking to it all along. After all, the FIN flag is the tag used to FINISH a conversation.

If the port that Milton is talking to is closed, the port replies to Milton with a RST flag. That’s like me saying “mhmmm” just to end the conversation.

However, if the port is open, the conversation packet is quietly discarded, since the conversation is over. But this is exactly what Milton is looking for. If he doesn’t get that RST flag he knows there is a service listening in on that port.

Now that he’s found an open port, he can say what he wants and your server will listen.

Now that you understand how the FIN port scan works; does anyone have an Aspirin?

-Nate

Tags: internet threats, Network Behavior Analysis, Network Traffic Analysis

This entry was posted on Thursday, May 7th, 2009 at 10:35 am and is filed under General, Network Health Report, Network Problem Resolution, Network Traffic Analysis, Security, WebNM. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.