What's the purpose of DOS attack fin scan?

2.6K    Asked by AndrewJenkins in Salesforce , Asked on Mar 24, 2022

 I've been having some weird issues with a home network, and it seems to me like I have some vulnerability I don't know about. To be honest, though, I'm not a big network/security guy and I kind of feel out of my depth. I'm hoping someone else can help me figure out what's going on.


For at least the last two months I have been seeing weird entries in my router logs. Basically, at least every few days, I see some entry in my router logs that says "Dos Attack" and "FIN Scan"/"Ack Scan" or "Smurf". Sometimes the remote IPs labeled as the attack source show up in whois as owned by Google, or an ad company called OpenX.


At first I thought, well, if my router only records the entries, then it must be blocking them, so it's fine. But I'm not so sure now. Take a look at a recent series of log entries for example:

[DoS attack: Smurf] attack packets in last 20 sec from ip [192.168.1.6], 15:56:22


[DHCP IP: (192.168.1.2)] to MAC address 33:33:33:33, 12:33:00

[DHCP IP: (192.168.1.2)] to MAC address 33:33:33:33, 12:32:49


[DoS attack: FIN Scan] attack packets in last 20 sec from ip [173.241.250.212], 10:45:25

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [173.241.250.143], 10:45:25


[DHCP IP: (192.168.1.6)] to MAC address 22:22:22:222, 09:11:05

What concerns me about a log entry like this is that the "attack packets" change IP address -- not just to one in my internal network, but to the computer I had used earlier that night (I was asleep when the attack packets were logged, and my computer was supposedly asleep). That makes me think the "attack packets" somehow allowed someone access to my system or my network. What is even stranger to me is, while this has been happening for a while now, the most recent entries showing this kind of remote-to-local IP switch was for a Mac machine, whereas the previous ones were related to a physically different Windows machine.


Before this last entry I took some steps to protect my network just in case. On top of upgrading my router, all of the other machines on the network have been DBANd and had Windows reinstalled fresh, I upgraded my modem to it's newer version, I disabled wireless radio entirely on my router so there is no wireless network and no guest wireless network at all, and I also changed my external/public IP with my service provider.


Has anyone seen something like this before? Am I digging into a problem that doesn't exist, or is it possible I'm the target of some bot or attack?

Answered by Andrew Jenkins

Regarding the DOS attack fin scan - Disconnect the "192.168.1.6" IP address from your router. If your router gateway is "192.168.1.1" then the dos attack log from 192.168.1.6 is another computer connected to your router. If you don't know how to disable it in the router settings, configure a rule in your firewall to block traffic from 192.168.1.6. IF you are in fact experiencing a DoS attack, which I think is highly unlikely, there is very little that can be done at your end to prevent it - to put it bluntly, if a hacker, wanted to render your connection unuseable, there's no way you can stop him - you're going down - it does not matter what router you use, you will be taken down. The question is why would he want to waste valuable resources targeting you - what's the motive, where's the benefit?

In years gone by, DoS attacks could be done very simply, but equipment manufacturers have patched their code and closed all of the simpler, less resource intensive attacks, so that for a DoS attack now to be successful, it requires a botnet, an army of compromised systems, which takes time to build, and which no hacker is going to risk exposure on a consumer.

ACK scans & FIN scans as DoS attacks are historic exploits, incapable of shutting a modern router down - the CPU should not be responding to them, they should be discarded by the NAT process, unless they occur on ports that you have forwarded. (EDIT) A typical DoS detection process will not respond to a single ‘attack’, it is normal for a router to have a threshold set e.g. 20 per second, but this does not tell you exactly what rate they are arriving. I would say that if the router is able to process the message and drop it, and if the logs show ‘DoS attack’ messages minutes apart then the router should not be stressed in any way simply by traffic volume as that level of traffic is quite insignificant.

If the router is reacting badly to something e.g. a malformed message then perhaps this could impact on router performance, but that’s just an assumption on my part. If I was to ask the question of engineering I would expect the answer to be along the lines of ‘not that we know of’. They would need quite detailed information to be able to investigate. If the DoS attacks are quite regular you could perhaps capture the traffic using a Packet Capture utility e.g. Microsoft Network Monitor or Wireshark. Connect a computer directly to the modem and capture traffic over the period of time that you would expect the DoS attacks to appear. You should also try to keep your WAN MAC address consistent so that you are not allocated a different IP address when connected to the modem, this is done in the router WAN Settings by selecting the option ‘Use Computer MAC Address’. One thing I’m not entirely sure of is if the computer OS might drop malformed packets before the Packet Capture tool can see it. By the way, changing the MAC address in this way with a cable service (the opposite of what I am suggesting here) will often result in the DoS Attacks disappearing, at least temporarily.



Your Answer

Answer (1)

A FIN scan is a type of network reconnaissance scan used by attackers to gather information about open ports on a target system. It's one of the many techniques used in the reconnaissance phase of a cyber attack, particularly for stealthy port scanning. Here's a detailed explanation of its purpose and how it works:

Purpose of a FIN Scan

1. Stealthiness:

The primary purpose of a FIN scan is to be stealthier than other types of scans like SYN or ACK scans. It aims to evade detection by firewalls and intrusion detection systems (IDS).

Many security systems are configured to detect and alert on SYN scans (which are more common), but may not be configured to detect FIN scans as effectively.

 2. Determining Open Ports:

A FIN scan helps identify open ports on a target system. Unlike SYN scans which initiate a connection, FIN scans send a packet with the FIN flag set, indicating the end of communication (as if it's part of a connection teardown).

3. Bypassing Firewalls and Filters:

Some firewalls and filtering systems might allow FIN packets through under the assumption that they are part of an ongoing, legitimate session. This can help the attacker map out open ports that would otherwise be hidden.

How a FIN Scan Works

Packet Structure:

A FIN scan sends TCP packets with only the FIN flag set. In normal TCP communication, the FIN flag is used to gracefully terminate a connection.

Response Analysis:

When a FIN packet is sent to a closed port, the target system should respond with an RST (reset) packet, indicating the port is closed.

If the port is open, the system is supposed to ignore the packet and not send any response. This lack of response is what the attacker uses to identify open ports.

Differences from Other Scans

SYN Scan:

Sends a SYN packet to initiate a connection. If the port is open, the target responds with a SYN-ACK, which the scanner then resets with an RST.

More likely to be detected by firewalls and IDS.

ACK Scan:

Sends an ACK packet to determine firewall rules, not necessarily to identify open ports. Responses vary based on firewall rules rather than port status.

Limitations and Countermeasures

Limitations:

Some modern IDS and firewalls are now capable of detecting FIN scans.

Not effective against all operating systems, as different OSes might handle FIN packets differently.

Countermeasures:

Firewalls and IDS can be configured to detect unusual patterns of FIN packets.

Implementing proper security policies and monitoring network traffic for anomalies.

In summary, the purpose of a FIN scan in the context of a Denial of Service (DoS) attack or reconnaissance is to stealthily identify open ports on a target system while attempting to evade detection by security systems. Understanding and detecting such scans is crucial for maintaining robust network security.

5 Months

Interviews

Parent Categories