Sanding our assholes with 150 grit. Slowly. Lovingly.

FIN scan? SYN scan? What?

My (newly installed) firewall is logging both incoming and outgoing SYN and FIN "attacks". Are they attacks, or are they normal nework behaviour (or rather, how the hell do I find out)?
Permalink Billy the Fish 
January 5th, 2010 6:48am
Incoming are probes to see if you left ports open. Your firewall is doing it's job.
Permalink xampl (iPhone) 
January 5th, 2010 9:07am
It's normal.  They're attacks for sure, but about as threatening as spam with a firewall, or even a properly updated machine.
Permalink Send private email Biggus Dickus 
January 5th, 2010 9:45am
Outgoing probably means you have malware somewhere.
Permalink Zangor, Prince of Mutilation 
January 5th, 2010 9:54am
Tru dat.  A system would not normally be sending those kinds of packets unless it was up to no good.  So get your machine scanned and cleaned.
Permalink Send private email Biggus Dickus 
January 5th, 2010 9:56am
Hmm. Well a full scan with both AVG and Spybot Search & Destry discovered nothing untoward...

Any other ideas?
Permalink Billy the Fish 
January 5th, 2010 12:32pm
Adaware?

How about your router?

Where's the firewall?

Also:

http://img.photobucket.com/albums/v280/unicornkazooie/robinishappy.jpg
Permalink Zangor, Prince of Mutilation 
January 5th, 2010 12:34pm
The firewall and router/switch are one and the same.

And that photo is just weird. I thought you'd given up posing for that kind of thing?
Permalink Billy the Fish 
January 5th, 2010 12:44pm
AVG isn't especially trustworthy.  I've seen virus-ridden machines that AVG swore were clean.  Try something like Avast to look for viruses.
Permalink Send private email Biggus Dickus 
January 5th, 2010 1:22pm
Another thought, to narrow down the responsible machine: Boot your machines off a Linux live CD and see if the attacks continue.  If they do, you know the linux-booted machine isn't the source.
Permalink Send private email Biggus Dickus 
January 5th, 2010 1:24pm
I know exactly which machine it is because only one was switched on. Avast also found nothing.
Permalink Billy the Fish 
January 5th, 2010 4:34pm
Well, I guess one possibility is that the firewall is reporting a false positive.  SYN packets by themselves don't particularly mean anything.  They're actually normal for devices trying to establish a network connection.  And they're also what a network scanner would send out to attempt to discover what else is on the network and what ports it had open.

Do you have any other devices connected to the network, like a wireless router, NAS or a game console?  A wireless router or access point would be an obvious source.
Permalink Send private email Biggus Dickus 
January 5th, 2010 4:54pm
Hey, try firing up a machine that doesn't have Windows networking installed.  OpenBSD and FreeBSD by default don't have it enabled (most Linux distros do).  See if it goes away then.  Windows networking is pretty chatty, and it might be sending SYN packets to see if there are peers out there it doesn't know about.
Permalink Send private email Biggus Dickus 
January 5th, 2010 4:56pm
Could also be picking up packets from other wireless routers?
Permalink JoC 
January 5th, 2010 4:58pm
Nah, it's not wireless. The log shows the outgoing packets as coming from this machine, but yes there is a NDAS attached, although switched off. Could the associated Windows software be searching for that?
Permalink Billy the Fish 
January 6th, 2010 12:16pm
Yes.  It's going to find it by sending SYN packets and seeing who responds.
Permalink Send private email Biggus Dickus 
January 6th, 2010 5:26pm

This topic is archived. No further replies will be accepted.

Other topics: January, 2010 Other topics: January, 2010 Recent topics Recent topics