TCP flags组合
Normal TCP Flag combination
● SYN, SYN ACK, and ACK are used during the three-way handshake which establishes a TCP connection. ● Except for the initial SYN packet, every packet in a connection must have the ACK bit set. ● FIN ACK and ACK are used during the graceful teardown of an existing connection. ● RST ACK can be used to immediately terminate an existing connection. ● Packets during the "conversation" portion of the connection (after the three-way handshake but before the teardown or termination) contain just an ACK by default. ● Optionally, they may also contain PSH and/or URG.
Abnormal TCP Flag combination
● SYN FIN is probably the best known illegal combination. Remember that SYN is used to start a connection, while FIN is used to end an existing connection. It is nonsensical to perform both actions at the same time. Many scanning tools use SYN FIN packets, because many intrusion detection systems did not catch these in the past, although most do so now. You can safely assume that any SYN FIN packets you see are malicious. ● SYN FIN PSH, SYN FIN RST, SYN FIN RST PSH, and other variants on SYN FIN also exist. These packets may be used by attackers who are aware that intrusion detection systems may be looking for packets with just the SYN and FIN bits set, not additional bits set. Again, these are clearly malicious.