Thwarting a FIN Scan (CLI Procedure)
To thwart FIN scans, take either or both of the following actions:
- Enable the screen option that specifically blocks TCP
segments with the FIN flag set but not the ACK flag, which is anomalous
for a TCP segment:user@host#set security screen fin-no-ack tcp fin-no-ack user@host#set security zones security-zone name screen fin-no-ack
where name is the name of the zone to which you want to apply this screen option .
- Change the packet processing behavior to reject all non-SYN
packets that do not belong to an existing session. The SYN check flag
is set as the default.

Note: Changing the packet flow to check that the SYN flag is set for packets that do not belong to existing sessions also thwarts other types of non-SYN scans, such as a null scan (when no TCP flags are set).
Hide Navigation Pane
Show Navigation Pane
Download
SHA1