TCP SYN Ping
Attack Pattern ID: 299 (Detailed Attack Pattern Completeness: Stub)Typical Severity: LowStatus: Draft
+ Description

Summary

An attacker uses a TCP SYN packets as a means of purpose of host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must respond to an incoming SYN "synchronize" packet by completing stage two of the 'three-way handshake' by sending an SYN/ACK in response. When a port is closed, RFC 793 behavior is to respond with a RST "reset" packet. This behavior can be used to 'ping' a target to see if it is alive by sending a TCP SYN packet to a port and then looking for a RST or an ACK packet in response. Due to the different responses from open and closed ports, SYN packets can be used to determine the remote state of the port. A TCP SYN ping is also useful for discovering alive hosts protected by a stateful firewall. In cases where a specific firewall rule does not block access to a port, a SYN packet can pass through the firewall to the host and solicit a response from either an open or closed port. When a stateful firewall is present SYN pings are preferable to ACK pings, because a stateful firewall will typically drop all unsolicited ACK packets because they are not part of an existing or new connection. TCP SYN pings often fail when a stateless ACL or firewall is configured to blanket-filter incoming packets to a port. The firewall device will discard any SYN packets to a blocked port. An attacker will often alternate between SYN and ACK pings to discover if a host is alive. A TCP SYN ping has the following characteristics:

1. Host Discovery: Can be used to discover if a host is alive via ACK or RST packets.

2. Effective Against: Stateful Firewalls that allow incoming new connections to target ports.

3. Weak Against: Stateless firewalls that blanket-filter incoming SYN

4. Port State: Able to determine port state via SYN/ACK or RST response.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

+ Attack Prerequisites

The ability to send a TCP SYN packet to a remote target. Depending upon the operating system, the ability to craft SYN packets may require elevated privileges.

+ Resources Required

The ability to craft custom TCP segments for use during network reconnaissance. SYN pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern292Host Discovery 
Mechanism of Attack1000
+ References
Stuart McClure, Joel Scambray, George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Defense Advanced Research Projects Agency (DARPA). "RFC793 - Transmission Control Protocol". 1981. <http://www.faqs.org/rfcs/rfc793.html>.
Gordon "Fyordor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". 3rd "Zero Day" Edition, . Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
Mark Wolfgang. "Host Discovery with Nmap". 2002. <http://nmap.org/docs/discovery.pdf>.
Back to top