SYN scanning

SYN scanning is a tactic that a malicious hacker (or cracker) can use to determine the state of a communications port without establishing a full connection. This approach, one of the oldest in the repertoire of crackers, is sometimes used to perform denial-of-service (DoS) attacks. SYN scanning is also known as half-open scanning.

In SYN scanning, the hostile client attempts to set up a TCP/IP connection with a server at every possible port. This is done by sending a SYN (synchronization) packet, as if to initiate a three-way handshake, to every port on the server. If the server responds with a SYN/ACK (synchronization acknowledged) packet from a particular port, it means the port is open. Then the hostile client sends an RST (reset) packet. As a result, the server assumes that there has been a communications error, and that the client has decided not to establish a connection. The open port nevertheless remains open and vulnerable to exploitation. If the server responds with an RST (reset) packet from a particular port, it indicates that the port is closed and cannot be exploited.

By continuously sending large numbers of SYN packets to a server, a cracker can consume the resources of the server. Because the server is flooded with requests from the hostile client, few or no communications from legitimate clients can take place.