• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Half Scan attack

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Half Scan attack Page: [1]
Login
Message << Older Topic   Newer Topic >>
Half Scan attack - 7.Mar.2002 12:45:00 AM   
argyp

 

Posts: 7
Joined: 21.Feb.2002
Status: offline
Can anyone explain to me what a half scan attack on the ISA server is

I found my event viewer full of this error.
Post #: 1
RE: Half Scan attack - 7.Mar.2002 1:33:00 AM   
jasonb54

 

Posts: 37
Joined: 10.Apr.2001
From: Lexington, KY
Status: offline
An IP half-scan attack should be defined in the ISA Server help file, but essentially it is where a computer tries to bypass establishing a connection by starting to send multiple SYN packets while never completing the packet with an ACK.

This type of attack is built-in to Intrusion Detection as a pre-configured alert.

Jason

(in reply to argyp)
Post #: 2
RE: Half Scan attack - 7.Mar.2002 9:00:00 AM   
md3v

 

Posts: 308
Joined: 22.Jan.2002
Status: offline
A half-scan attack consits of a TCP SYN scan. A regular TCP connection is:

Client: SYN
Server: SYN/ACK
Client: ACK

A TCP SYN scan connection is:

Hacker: SYN
Server: SYN/ACK
Client: no response

This is different than a full SYN scan in that the connection is dropped after receiving the returned SYN-ACK packet instead of letting the connection complete. This is turn is somewhat 'stealth' as a full TCP connection never occurs thus identities of rogue parties are not ALWAYS identified.

ISA understands and protects against SYN scans though and IDS systems, like SNORT understand TCP SYN scan traffic.

(in reply to argyp)
Post #: 3
RE: Half Scan attack - 2.Apr.2002 9:02:00 PM   
digitalman

 

Posts: 3
Joined: 18.Mar.2002
Status: offline
If I am receiving several of these all of a sudden should be concerned?

Is ISA protecting me? [Confused]

(in reply to argyp)
Post #: 4
RE: Half Scan attack - 3.Apr.2002 3:51:00 PM   
jokan7

 

Posts: 19
Joined: 8.May2001
From: Florida - USA
Status: offline
I used to get half scan attack as well as portscan attack alerts all the time. In order to determine the threat, whenever I receive an alert I will use ping -a to give me the Domain of the computer scanning me. About 80% of the time I will get a response and its almost always some search engine robot probing for web sites. If you have internal users listening to streaming music like launchcast or spinner you can get several alerts as this services probes your firewall for open ports. If the IP address does not answer back with a name then I treat it as suspect and I add the IP to my "Intrusion Rule" (my own setup) to deny them access to prevent possible attacks. Now the scan attacks have slowed tremendously.

[ April 03, 2002, 03:52 PM: Message edited by: jokan7 ]

(in reply to argyp)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Half Scan attack Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts