A FIN scan is a network port scanning technique that sends a specially crafted TCP packet to a target computer to determine whether its ports are open or closed. It gets its name from the TCP FIN flag, which normally signals the end of a connection. Security professionals and attackers use FIN scans because they can slip past certain firewalls and intrusion detection systems that only watch for more obvious scanning methods.
How a FIN Scan Works
Every TCP connection uses a set of control flags to manage communication between two computers. The FIN flag is one of these, and its normal job is to tell the other side that a connection is finished. A FIN scan exploits a quirk in how the TCP protocol handles unexpected FIN packets sent to ports where no active connection exists.
When a FIN packet arrives at a closed port, the target system responds with a RST (reset) packet, essentially saying “nothing is here.” When a FIN packet arrives at an open port, the system silently drops the packet and sends nothing back. By tracking which ports respond and which stay quiet, the scanner can map out which services are running on the target machine. This behavior is defined in RFC 793, the original specification for the TCP protocol.
Why Attackers Use FIN Scans
The most common port scanning method, a SYN scan, mimics the first step of opening a normal connection. Many firewalls and logging systems are specifically designed to detect and record these SYN-based scans. A FIN scan sidesteps this because it never attempts to open a connection at all. It sends a packet that looks like the tail end of a conversation that never happened, which older or simpler security tools may ignore entirely.
FIN scans belong to a family of “stealth scans” that also includes XMAS scans (which set the FIN, PSH, and URG flags simultaneously) and NULL scans (which set no flags at all). All three rely on the same principle: closed ports reply with RST, open ports stay silent.
Limitations of FIN Scanning
FIN scans have a significant reliability problem. The technique depends on the target system following the TCP specification exactly, and not all operating systems do. Windows systems, for example, send a RST packet back regardless of whether the port is open or closed. This makes FIN scans essentially useless against Windows targets, since every port looks the same in the results.
Modern firewalls and intrusion detection systems have also caught up. Stateful firewalls track the full lifecycle of TCP connections, so they can recognize that an incoming FIN packet doesn’t belong to any active session and flag or block it. This significantly reduces the stealth advantage that made FIN scans appealing in the first place. The technique remains more effective against older network infrastructure or minimal firewall configurations.
Another practical issue is speed. Because open ports produce no response, the scanner has to wait long enough to be confident that silence means “open” rather than “the packet got lost.” This makes FIN scans slower than SYN scans, especially across large ranges of ports or unreliable networks.
FIN Scans in Security Tools
Nmap, the most widely used port scanning tool, supports FIN scans with the -sF flag. Running a FIN scan through Nmap will categorize ports as “open|filtered” (no response received), “closed” (RST received), or “filtered” (ICMP error received). The “open|filtered” label reflects the inherent ambiguity: the scanner cannot definitively distinguish an open port from one blocked by a firewall that silently drops packets.
Security professionals typically use FIN scans as one technique among several during penetration testing. Comparing the results of SYN scans, FIN scans, and other methods against the same target can reveal how a firewall is configured and which filtering rules are in place. A port that appears open on a SYN scan but “open|filtered” on a FIN scan tells a different story than one that shows consistent results across both methods.
Detecting and Blocking FIN Scans
Stateful firewalls are the primary defense. Because they track active connections, they can immediately identify FIN packets that don’t correspond to any established session and drop them. Most modern enterprise firewalls handle this by default.
Intrusion detection systems like Snort and Suricata include signatures for FIN scan patterns. These tools look for repeated FIN packets sent to multiple ports on the same host within a short timeframe, a pattern that doesn’t occur in normal network traffic. Rate-limiting inbound connections and logging unexpected FIN packets at the network perimeter provide additional visibility into scanning activity.