SYN scanning

SYN scanning is a tactic that a malicious hacker (or cracker) can use to determine the state of a communications port without establishing a full connection. This approach, one of the oldest in the repertoire of crackers, is sometimes used to perform denial-of-service (DoS) attacks. SYN scanning is also known as half-open scanning.

In SYN scanning, the hostile client attempts to set up a TCP/IP connection with a server at every possible port. This is done by sending a SYN (synchronization) packet, as if to initiate a three-way handshake, to every port on the server. If the server responds with a SYN/ACK (synchronization acknowledged) packet from a particular port, it means the port is open. Then the hostile client sends an RST (reset) packet. As a result, the server assumes that there has been a communications error, and that the client has decided not to establish a connection. The open port nevertheless remains open and vulnerable to exploitation. If the server responds with an RST (reset) packet from a particular port, it indicates that the port is closed and cannot be exploited.

By continuously sending large numbers of SYN packets to a server, a cracker can consume the resources of the server. Because the server is flooded with requests from the hostile client, few or no communications from legitimate clients can take place.

This was last updated in April 2007

Continue Reading About SYN scanning

Dig Deeper on Network Security Monitoring and Analysis