Merry Christmas｡∠(*・ｍ・)v Do you know about Christmas scan?

Hello.
This is Kawa from the System Solutions Department.

The end of the year goes by so quickly.
By 5pm, it's already dark and cold outside, and I want to stay warm under the kotatsu and play Switch at this time of year.

December means Christmas.
Although it's been a while since Santa stopped visiting me,
it's nice to see the cityscape sparkling, isn't it?∠(*・ｍ・)v

As the title says, IT also has something to do with Christmas.Do
you know about ``Christmas (Tree) Scan''?
It's a name for a network attack, and it's so funny that techies has a lot of coined words
(though it's not really funny to actually be attacked),
so I thought I'd write a little bit about this Christmas scan this time. .

What is Christmas Scan?

There are various names for it, such as Christmas scan and Christmas tree attack, but
this comes from the control flag in the packet.

I think attackers usually use stealth scanning as a port scanning method to avoid getting caught

A packet (this time we are talking about TCP) has a 6-bit part called a control flag,
which controls the connection. ACK and SYN are famous.
The following three are used for Christmas scan:

URG (Urgent) - Contains data that needs to be processed urgently (priority)

PSH (Push) - Pass data immediately to the upper level without buffering it

RST (Reset) - Forcibly disconnect the connection

Other than RST, it may be a flag that you are not used to hearing.
Christmas scan is an attack method that tests the target's reaction by setting these three flag bits to 1 and
sending it as the first packet.

Why Christmas?

As mentioned above, this has something to do with the three flags being raised, but it doesn't really make sense to me at all.
Actually, this requires packet capture and visualization using Wireshark, etc., but

the flag part is colorful. In addition, is the flag structure in the right half of the tree?
because it has a conical shape, it looks like the tree is decorated.

don't really see it like this

Why is this an attack?

It's more of a port scan than an attack, so it can more accurately be called "preparation for an attack."
As you know, TCP packets follow a 3-way handshake flow like SYN~ACK~FIN.
However, what if this flow is ignored and out-of-state packets come?

- If the corresponding port is open,

, basically there will be no response
if the port is open This means that by not receiving a response, a third party can easily find out that the port is open

- If the corresponding port is not open
In this case, it is not allowed, so basically an RST packet is returned.
However, the sender will know that it is "closed".

By the way, the Windows specifications seem to respond with RST regardless of whether it is open or closed, so
there is a possibility that the OS will be revealed.
Additionally, the behavior changes depending on the Firewall or UTM, such as whether or not RST is thrown,
so depending on the combination with other attacks, open ports may be revealed.

complete