TCP.Stealth.Activity

description-logoDescription

This indicates detection of stealth scanning activity and uncommon TCP handshake connection attempts (ie: a split handshake where the server is the last to send an ACK, instead of the client).
The concept of a split handshake was described in 2010 (T. Beardsley, J. Qian). The most common TCP handshake is the 3-way handshake (SYN, SYN-ACK, ACK). Less common is the simultaneous open handshake, where both devices act as clients trying to reach each other. Using an active OPEN state, they both send SYNs and await ACK responses from each other before establishing a connection. The split-handshake combines both of these methods, using stages (like the simultaneous open connection) but effectively reversing the direction of the client-server flow once the connection is established. This happens because the server is the last one to send the ACK, in place of the client (vs. the client being the last in a 3-way handshake). This can occur in four or five steps, depending whether the attacking server sends an ACK followed by a SYN on the initial client SYN, or just a SYN packet. In order for split-handshake attacks to be successful, malicious activity must occur after the split-handshake connection has been established.
Stealth scanning is used by intruders to discover what ports are listening on a system without being detected by firewalls and packet filters. A TCP FIN, or Stealth FIN, scan will send a TCP FIN packet to each port. A closed port tends to reply to the FIN packet with the proper TCP RST packet. An open port, on the other hand, tends to ignore the packet in question.
Some systems (e.g. Microsoft systems) send TCP RSTs regardless of the port state and thus are not vulnerable to this attack. However, this caveat is often used to differentiate between Microsoft systems and other systems.

affected-products-logoAffected Products

Most systems other than Microsoft systems are vulnerable to stealth scanning attacks.

Impact logoImpact

Malicious information gathering may assist future attacks.

recomended-action-logoRecommended Actions

To stop a split-handshake connection from being established, set to block.

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)