During a security audit you notice that the perimeter firewall currently forwards TCP segments that have invalid flag combinations (FIN, NULL, or Xmas) to the internal hosts, allowing the end-systems to generate their own replies. To reduce the amount of information an external attacker can gather with FIN/NULL/Xmas scans while causing the least disruption to legitimate traffic, which firewall adjustment is MOST appropriate?
Proxy all unsolicited TCP connections to a low-interaction tarpit listening on an unused internal host.
Configure the firewall to silently drop any inbound TCP segment that does not have the SYN flag set.
Configure the firewall to return an ICMP type 3 code 13 (communication administratively prohibited) for all blocked packets.
Enable a rule that sends a TCP RST for every inbound packet that fails state tracking, regardless of port state.
FIN, NULL, and Xmas scans rely on RFC-compliant behavior: a closed port responds with RST, whereas an open port ignores the probe. If the edge firewall silently drops every inbound TCP segment that lacks the SYN flag-without forwarding it or sending any response-the attacker receives no packet back in either case. All probed ports therefore appear as 'filtered', preventing the scanner from distinguishing open from closed ports. Sending RSTs for every probe (or forwarding them to the host) still reveals that a service is present or absent, and ICMP error messages can be equally useful to the attacker. Redirecting the traffic to a tarpit may slow the probe but still lets the attacker know which ports accept connections. Dropping the packets at the perimeter provides the most effective and least disruptive countermeasure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are FIN, NULL, and Xmas scans?
Open an interactive chat with Bash
What does dropping packets with no SYN flag accomplish?
Open an interactive chat with Bash
Why is sending a TCP RST or ICMP messages less effective?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Reconnaissance Techniques
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .