3

Many resources I come across state that one major advantage of full-port scans (e.g. SYN scans) is the fact that there is a lower risk of being logged. But why?

In my opinion, the sequence of segments exchanged in a SYN-scan (SYN >> SYN/ACK >> RST) seems way more suspicious/ abnormal than that of a full TCP-connect scan (SYN >> SYN/ACK >> ACK). Since the first SYN-segment already reveals information about the sender (ie. IP address, assuming no spoofing or proxy), I don't understand why a full connect scan is riskier than a half open scan.

Max
  • 45
  • 5

1 Answers1

3

Half-open scans are purely dealt with by the operating system, which is not likely to log anything unless a firewall like iptables is in place. Once a full TCP handshake has taken place, however, the operating system hands the connection off to the application that's listening on that port, and the resulting hangup is likely to cause the application to log an error.

In short, half-open connections are quieter because they stay behind the scenes with the OS.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Great thanks! That solves my problem... But if a firewall were in place, would it be likely for the SYN>>SYN/ACK>>RST-combo to be detected, thus making the SYN-scan noiser than it is said to be? – Max Jun 08 '20 at 16:16
  • 1
    To expand on this point, this is talking about host-based detection. The connection information is not going to be percolated up the application stack on the host itself. A network based detection mechanism is likely going to detect the port scan either way. – Dan Landberg Jun 08 '20 at 16:20