Hey there! Snap! Snap! (bad, bad computer)

Sniffle has detected a No SYN exploit.

Object CExploitFlags

The No SYN exploit is often used as a port probe, looking for active ports on a machine. It attempts to convince a target machine that a conversation is already underway.

In a normal connection, the client sends a TCP packet with the SYN flag set.  If the server wants to allow the connection, it replies with a packet setting the SYN and ACK flags.  The client then replies with an ACK and the conversation begins.

In a No SYN exploit the aggressor sends an unsolicited SYN ACK packet, trying to convince the target that the target actually initiated the connection attempt.  The aggressor is looking for an ACK response.

If the aggressor is searching for open ports, the return IP address must be real.  If it has another goal, such as a denial of service attack, the source address is almost certainly spoofed.

Since this attack can focus on any port, it is impossible to defend against.  Sniffle resets the aggressors connection when it encounters this type of attack.


