\chapter{Port Scans}

\paragraph{}
Port scans have been classified by the TCP flag settings they use.  The 
most commonly employed scans are:\cite{fyodor97a}
\begin{itemize}
\item TCP connect() scanning,
\item TCP SYN (half open) scanning,
\item TCP FIN (stealth) scanning,
\item SYN/FIN scanning using IP fragments,
\item UDP raw ICMP port unreachable scanning,
\item XMas scans, Null scans, etc.
\end{itemize}

\paragraph{}
A TCP connect() scan can be performed by anyone on any machine.  A standard
connection is made to a port which indicates that the port is open by 
establishing a connection, or closed if a connection can not be established.
Thus a complete TCP handshake is performed.  The disadvantage to this method
is that sites often log the connections made to various services offered.  A
number of packets are sent in this case --- a SYN packet to initiate the 
connection, a SYN-ACK to to acknowledge the connection, an ACK to establish
the connection, some data from the scanned site to the scanner, a FIN to end 
the connection, and a RST to close it.  At least three packets are sent from 
the scanner, and at least three packets are received by the scanner.  However,
despite the logging performed, this type of scan is sometimes performed,
in particular by newbies and script kiddies, in order to determine the 
particular version of the service being offered at the port of interest.

