Home > CAPEC List > CAPEC-299: TCP SYN Ping (Version 2.9)  


Definition in a New Window Definition in a New Window
Attack Pattern ID: 299
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker uses a TCP SYN packets as a means of purpose of host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must respond to an incoming SYN "synchronize" packet by completing stage two of the 'three-way handshake' by sending an SYN/ACK in response. When a port is closed, RFC 793 behavior is to respond with a RST "reset" packet. This behavior can be used to 'ping' a target to see if it is alive by sending a TCP SYN packet to a port and then looking for a RST or an ACK packet in response. Due to the different responses from open and closed ports, SYN packets can be used to determine the remote state of the port. A TCP SYN ping is also useful for discovering alive hosts protected by a stateful firewall. In cases where a specific firewall rule does not block access to a port, a SYN packet can pass through the firewall to the host and solicit a response from either an open or closed port. When a stateful firewall is present SYN pings are preferable to ACK pings, because a stateful firewall will typically drop all unsolicited ACK packets because they are not part of an existing or new connection. TCP SYN pings often fail when a stateless ACL or firewall is configured to blanket-filter incoming packets to a port. The firewall device will discard any SYN packets to a blocked port. An attacker will often alternate between SYN and ACK pings to discover if a host is alive. A TCP SYN ping has the following characteristics:

  • 1. Host Discovery: Can be used to discover if a host is alive via ACK or RST packets.
  • 2. Effective Against: Stateful Firewalls that allow incoming new connections to target ports.
  • 3. Weak Against: Stateless firewalls that blanket-filter incoming SYN
  • 4. Port State: Able to determine port state via SYN/ACK or RST response.
+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Transport Layer

Target Attack Surface Localities


Target Attack Surface Types: Host

+ Attack Prerequisites
  • The ability to send a TCP SYN packet to a remote target. Depending upon the operating system, the ability to craft SYN packets may require elevated privileges.

+ Typical Severity


+ Resources Required

The ability to craft custom TCP segments for use during network reconnaissance. SYN pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
"Varies by context"
Bypass protection mechanism
Hide activities
+ References
[R.299.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 48. 6th Edition. McGraw Hill. 2009.
[R.299.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.299.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.6.2 TCP SYN Ping, pg. 61. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
[R.299.4] [REF-28] Mark Wolfgang. "Host Discovery with Nmap". November 2002. <http://nmap.org/docs/discovery.pdf>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015