TCP {flags:S}...whats this?

Discussion in 'other firewalls' started by Adam, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. Adam
    Offline

    Adam Registered Member

    Hi guys,
    for the past couple of hours, i am getting this alert in my ZAP 5.0 log>TCP flag:S....all are as medium, and there are like 80 entries already.........from ip 198.64.140.152(ftp data) to my ip's port 4037.

    i am not really bothered by these alerts, all are successfully blocked, but i was curious, what is tcp flag s ?
    i tried to find the answer in ZAP 'help' but couldnt.

    what does it mean?
  2. gkweb
    Offline

    gkweb Expert Firewall Tester

    Hi Adam,

    a TCP packet which has the flag S (S for SYN) enabled just mean that it is a connection attempt. So, by blocking them, your firewall protects you.

    regards,

    gkweb.
  3. CrazyM
    Offline

    CrazyM Firewall Expert

    Flags/control bits used in TCP/IP:

    URG = Urgent bit
    ACK = Acknowledgment bit
    PSH = Push bit
    RST = Reset bit
    SYN = Synchronize bit
    FIN = Finish bit

    "URG
    A control bit (urgent), occupying no sequence space, used to indicate that the receiving user should be notified to do urgent processing as long as there is data to be consumed with sequence numbers less than the value indicated in the urgent pointer.

    ACK
    A control bit (acknowledge) occupying no sequence space, which indicates that the acknowledgment field of this segment specifies the next sequence number the sender of this segment is expecting to receive, hence acknowledging receipt of all previous sequence numbers.

    PSH
    A control bit occupying no sequence space, indicating that this segment contains data that must be pushed through to the receiving user.

    RST
    A control bit (reset), occupying no sequence space, indicating that the receiver should delete the connection without further interaction. The receiver can determine, based on the sequence number and acknowledgment fields of the incoming segment, whether it should honor the reset command or ignore it. In no case does receipt of a segment containing RST give rise to a RST in response.

    SYN
    A control bit in the incoming segment, occupying one sequence number, used at the initiation of a connection, to indicate where the sequence numbering will start.


    FIN
    A control bit (finis) occupying one sequence number, which indicates that the sender will send no more data or control occupying sequence space."

    RFC 793 http://www.ietf.org/rfc/rfc0793.txt

    As gkweb noted, the SYN flag will be seen in connection attempts. Packets with the SYN flag are the first part of establishing a normal connection or the three-way handshake via TCP/IP:

    SYN --->
    SYN/ACK <---
    ACK --->

    Explanation of the Three-Way Handshake via TCP/IP

    Your firewall did not allow these connections, and ZA also noted the flag/control bit of the packet.

    There will be times when you will see other flags noted by ZA (or your firewall if it captures this information). Certain types of stealth scans will send packets with something other than the SYN flag set.

    An example of this you could try would be the stealth scan at pcflank which uses 4 different types of TCP stealth scans with different flags set. For a further description on these types of stealth scans: Nmap network security scanner man page.

    With stateful firewalls you will occassionally see blocked packets with other flags set when established connections time out and these packets arrive late and are blocked. The telltale signs here are the source IP and source port which will be from an existing or previous legitimate connection.

    Regards,

    CrazyM
    Last edited: Jul 16, 2004
  4. Adam
    Offline

    Adam Registered Member

    Hi guys,
    thanks for the relplies.. i've got a better understanding of whats going on in the logs now.

    CrazyM, those links are cool, { perhaps a bit too deep for me, but very informative}.

    say, about the pcflank stealth test, it just tells me we cannot scan your ip, so the test results may be wrong or something.....
    well , sounds good to me!
Thread Status:
Not open for further replies.