A security analyst suspects that an attacker is scanning their network. They notice a large number of TCP SYN packets being sent to various ports on a single host, but no SYN-ACK responses are returned. Which type of scan is most likely being used?
SYN scan sends SYN packets; lack of SYN-ACK indicates filtered/closed ports.
Why this answer
C is correct because a SYN scan (also known as a half-open scan) sends TCP SYN packets to target ports and does not complete the three-way handshake. If no SYN-ACK is returned, it indicates the port is filtered or the host is not responding, which matches the scenario where the attacker receives no SYN-ACK responses. This scan is stealthier than a full TCP connect scan because it never establishes a full connection.
Exam trap
The trap here is that candidates often confuse SYN scan with TCP connect scan, thinking that any TCP scan must complete the handshake, but the key distinction is that SYN scan never sends the final ACK, making it half-open and stealthier.
How to eliminate wrong answers
Option A is wrong because a TCP connect scan completes the full three-way handshake (SYN, SYN-ACK, ACK) and would result in SYN-ACK responses for open ports, not the absence of them. Option B is wrong because a UDP scan sends UDP packets, not TCP SYN packets, and relies on ICMP unreachable messages or lack of response, not TCP SYN-ACK behavior. Option D is wrong because a FIN scan sends TCP packets with the FIN flag set, not SYN packets, and expects RST responses for closed ports, not SYN-ACKs.