Hi All,
Have a couple iphones on the wlan here and at some point all have been blacklisted at least once for doing a FIN scan.
My question is, will you find any traffic in the wild that will legitimately use only the FIN flag? Or will it always be an attempted port scan?
Cheers,
What are you rules to detect FIN scans? FIN scans send a FIN to a port without a connection being open. This could of course happen entirely naturally - such as your router having fairly low connection time outs, lower than the device on the other end. If the phone is expecting the connection to stay open for 10 minutes but your router closes after 5 minutes of inactivity, and then the phone sends a legitimate (from its point of view) connection close the router could detect that as a FIN scan.
hi fewi what you said makes sense.
The rule was borrowed from one of the firewall wikis
;;; NMAP FIN Stealth scan
chain=sanity-check action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=blocked-addr address-list-timeout=2w
