TCP ACK Ping
Attack Pattern ID: 297 (Detailed Attack Pattern Completeness: Stub)Typical Severity: LowStatus: Draft
+ Description

Summary

An attacker sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive. This is one of several TCP 'ping' types. The RFC 793 expected behavior for a service is to respond with a RST 'reset' packet to any unsolicited ACK segment that is not part of an existing connection. So by sending an ACK segment to a port, an attacker identify that the host is alive by looking for a RST packet. Typically a remote server will respond with a RST regardless of whether a port is open or closed. In either case, the attacker can determine that the host is alive. TCP ACK pings cannot discover the state of a remote port because the behavior is the same in either case. TCP ACK pings are most likely to fail in cases where a stateful firewall is present. The firewall will look up the ACK packet in its state-table and discard the segment because it does not correspond to any active connection. A TCP ACK Ping has the following characteristics:

1. Host Discovery: Can be used to discover if a host is alive via RST response packets sent from the host.

2. Effective Against: Stateless Firewalls due to a typical lack of rules that reject unsolicited ACK packets.

3. Weak Against: Stateful Firewalls due to the ability to reject a packet not part of an existing connection.

4. Port State: Unable to determine if a port is open or closed.

The tool nmap will send TCP ACK pings when the command line "-PA" switch is used. Sending an ACK ping requires the ability to access "raw sockets" in order to create the packets with direct access to the packet header.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

+ Attack Prerequisites

The ability to send an ACK packet to a remote host and identify the response. Creating the ACK packet without building a full connection requires the use of raw sockets. As a result, it is not possible to send a TCP ACK ping from some systems (Windows XP SP 2) without the use of third-party packet drivers like Winpcap. On other systems (BSD, Linux) administrative privileges are required in order to write to the raw socket.

+ Resources Required

The ability to craft custom TCP ACK segments for use during network reconnaissance. ACK scanning can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern292Host Discovery 
Mechanism of Attack1000
+ References
Stuart McClure, Joel Scambray, George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Defense Advanced Research Projects Agency (DARPA). "RFC793 - Transmission Control Protocol". 1981. <http://www.faqs.org/rfcs/rfc793.html>.
Gordon "Fyordor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". 3rd "Zero Day" Edition, . Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
Mark Wolfgang. "Host Discovery with Nmap". 2002. <http://nmap.org/docs/discovery.pdf>.
Back to top