FIN scan? SYN scan? What?
My (newly installed) firewall is logging both incoming and outgoing SYN and FIN "attacks". Are they attacks, or are they normal nework behaviour (or rather, how the hell do I find out)?
Incoming are probes to see if you left ports open. Your firewall is doing it's job.
It's normal. They're attacks for sure, but about as threatening as spam with a firewall, or even a properly updated machine.
January 5th, 2010 9:45am
Outgoing probably means you have malware somewhere.
Tru dat. A system would not normally be sending those kinds of packets unless it was up to no good. So get your machine scanned and cleaned.
January 5th, 2010 9:56am
Hmm. Well a full scan with both AVG and Spybot Search & Destry discovered nothing untoward...
Any other ideas?
How about your router?
Where's the firewall?
The firewall and router/switch are one and the same.
And that photo is just weird. I thought you'd given up posing for that kind of thing?
AVG isn't especially trustworthy. I've seen virus-ridden machines that AVG swore were clean. Try something like Avast to look for viruses.
January 5th, 2010 1:22pm
Another thought, to narrow down the responsible machine: Boot your machines off a Linux live CD and see if the attacks continue. If they do, you know the linux-booted machine isn't the source.
January 5th, 2010 1:24pm
I know exactly which machine it is because only one was switched on. Avast also found nothing.
Well, I guess one possibility is that the firewall is reporting a false positive. SYN packets by themselves don't particularly mean anything. They're actually normal for devices trying to establish a network connection. And they're also what a network scanner would send out to attempt to discover what else is on the network and what ports it had open.
Do you have any other devices connected to the network, like a wireless router, NAS or a game console? A wireless router or access point would be an obvious source.
January 5th, 2010 4:54pm
Hey, try firing up a machine that doesn't have Windows networking installed. OpenBSD and FreeBSD by default don't have it enabled (most Linux distros do). See if it goes away then. Windows networking is pretty chatty, and it might be sending SYN packets to see if there are peers out there it doesn't know about.
January 5th, 2010 4:56pm
Nah, it's not wireless. The log shows the outgoing packets as coming from this machine, but yes there is a NDAS attached, although switched off. Could the associated Windows software be searching for that?
Yes. It's going to find it by sending SYN packets and seeing who responds.
January 6th, 2010 5:26pm