Semi-open scan primary
Last Update: 2002-07-07
21:00:48
Schematic:
--------------------------> (Request) | -------------
Client | <---------- Connection ----------> | Server
CLIENT | <(response) <-------------- | Server
The general TCP three handshake connector (Communication Three Way Handshake) is:
Client -------- SYN -------> Server
Client <----- Syn / Ack ------ Server
Client ------- ACK --------> Server
Thereby a communication connection program (Communication Connection Proces) is reached.
Handshake CHEATING CONNECTION
Client -------- SYN -------> Server
Client <----- Syn / Ack ------ Server
Client -----> // Delayed response --- Server
CLIENT-connection -? <----- Server
Client -------- RST -------> Server
At this time, Client and Server are connected, while Server doesn't know the accurate identity of the client, and the Client has achieved the effect of concealing the identity and the Server is connected. Thus the server logging does not record the correctness of the client, and the opportunity to be discovered when scanned in this case is greatly reduced.
Key: Client -------> // Delayed response ------ Server's meaning in time does not give Server to answer Ack = Acknowledgment, Server does not know the true answer and true identity, but Client in
Client <----- Syn / Ack ------ Server has been connected to the server, and the client deliberately delays the purpose of not answering the Server to achieve the purpose of semi-open connection scan, of course, at this time More accurately estimated Server Connection Timeout time. This is the Communication Handshake Connection connection to which the abnormal communication handshake mode is applied.
The semi-open scanner applies this principle to conceal the effect with the server to turn on the Server. But this method is less reliable. Because the SERVER with better monitoring performance discovers that the client does not correctly complete the Three Way Handshake Procedure, the connection is cut off.
There are more than a good scanner is a scan of this principle. Of course, if the Server is equipped with IDS or other listening devices or performance, the Client is still discovered. This is the struggle of cats and rats, and the strong is king !!!!
