11

I'm reading about nmap's SYN scan, and it says Nmap sends an RST immediately after the server tries to establish the handshake.

My question is - why bother with the RST? Is it to prevent the server from trying to reconnect on every checked port, and thus create unneeded incoming traffic to the scanning machine? Would that traffic slow the scan down immensely?

I would guess that that pattern of SYN, RST should be easy to "read" by IDSs, and I'm not sure why it is there in the first place. Why not register the response and keep going?

Vilican
  • 2,703
  • 8
  • 21
  • 35
Jay
  • 223
  • 1
  • 6

2 Answers2

17

Leaving a connection in syn_rcvd state will raise flags as well as this is a common denial of service attack.

If you don't send a RST, the server will remain in a syn_rcv state for up to 60 seconds and retransmit the SYN ACK up to 5x. This will waste resources on the network you're scanning and cause a bunch of (depending on the speed and success of your scan) of retransmitted SYN ACKs being sent back to you.

The 60 second and 5 retries are linux defaults - these values will vary.

Jeff S.
  • 286
  • 2
  • 4
  • 1
    Here is a paper (PDF) discussing using these SYN ACK retransmission times and counts to fingerprint the OS of a remote target: http://irl.cse.tamu.edu/people/zain/papers/sigmetrics2014.pdf – bonsaiviking Jun 25 '16 at 12:09
11

This is technically false: Nmap does not send a RST at any point in the half-open SYN scan. Instead, it relies on the scanning machine's OS to send RST packets in response to what the kernel views as unsolicited SYN-ACK packets. This is the same mechanism that is probed by Nmap's ACK scan (-sA) to map out firewall rules. Of course, this means that if your scanning system has a firewall, it's very likely that it drops unsolicited SYN-ACK packets instead of responding with RST, so you could potentially create a SYN flood condition. It's best to turn off such rules or to add an explicit rule to allow sending of RSTs in this case when performing large scans so that you don't burden your targets.

Regarding stealth, it's important to know your history. Nmap was released in 1997, predating BlackICE, Snort, and Bro (all created in 1998). At the time the "stealth SYN scan" was so named, an Intrusion Detection System was a program to check your logs for failed connection attempts. Since SYN scan never completes a TCP handshake, the application is never notified. The event dies in the kernel and there's nothing in the application log to indicate anything went wrong. These days, however, the situation is almost inverted; organizations are much more likely to have a network IDS/IPS than a properly configured SIEM/UTM/log analysis capability.

bonsaiviking
  • 11,316
  • 1
  • 27
  • 50
  • A properly configured firewall will not silently drop unsolicited SYN-ACK packets. If you receive an unexpected SYN-ACK from a legitimate server, chances are that you will be receiving more, unless you respond with a RST. Moreover sending the RST will reduce the risk of an attacker successfully spoofing your IP. – kasperd Jun 25 '16 at 16:58
  • @kasperd All very good points. Unfortunately, lots of "security experts" who use Nmap also use iptables with very simple rulesets: drop everything, allow by exception, no special handling for out-of-order packets. – bonsaiviking Jun 26 '16 at 12:46