What is the purpose of the FIN flag in TCP header?

The FIN flag is one of the six bits in the control field of the Transmission Control Protocol (TCP) header. It is used to indicate the end of data transmission and gracefully terminate a TCP connection. In this article, you will learn about the purpose and the process of the FIN flag in network security.

1 TCP header and flags

TCP is a reliable and connection-oriented protocol that ensures the delivery and order of data packets between hosts on a network. TCP uses a header to carry information about the source and destination ports, sequence and acknowledgment numbers, window size, checksum, urgent pointer, and options. The header also has a control field that consists of six flags: URG, ACK, PSH, RST, SYN, and FIN. Each flag has a specific function and can be set to 1 or 0 to indicate its presence or absence.

Add your perspective

Luiz Henrique Silveira

CTO na BRASILINE TECNOLOGIA | Especialista Fortinet FCP | FCSS (NSE4, NSE5 e 2x NSE7) | Pós graduação em Gestão da Segurança da Informação
Report contribution
Esses elementos carregam informações vitais que regulam o estabelecimento, a manutenção e o término de conexões, além de gerenciar o fluxo e o controle de congestionamento de dados. Os sinalizadores, como URG (Urgente), ACK (Reconhecimento), PSH (Push), RST (Reset), SYN (Sincronizar) e FIN (Finalizar), desempenham papéis específicos, desde a inicialização de uma nova conexão (SYN) até a sua conclusão (FIN), e na gestão de estados e fluxos de dados dentro da sessão TCP. A compreensão desses cabeçalhos e sinalizadores é fundamental para análises de rede, diagnóstico de problemas e implementações de segurança, permitindo a identificação e a resposta a comportamentos anormais ou maliciosos nas comunicações de rede.

Translated

Like
Charles W.

Human
Report contribution
I would recommend having the book TCP/IP Illustrated Volume 2, this is the best book when it comes to understanding the protocol. Should be on everyone's Shelf. And the hard cover is worth having.

Like

2 FIN flag function

The FIN flag is used to signal the end of data transmission from the sender to the receiver. It is set to 1 when the sender has no more data to send and wants to close the connection. The receiver acknowledges the FIN flag by sending an ACK flag back to the sender. The FIN flag does not mean that the connection is immediately terminated, but rather that it is in the process of being closed. The connection can still be used to send data in the opposite direction until both sides send and receive FIN flags.

Add your perspective

Charles W.

Human
Report contribution
There are situations in which connection needs to be close or reset immediately. This may be because of a system or protocol error. You should also be aware that most IDS systems seeing bad traffic has the ability to interdict by sending a reset packet. For example, a TCP ends receives a packet for which there is no connection. Receiving side will send a TCP RST to the remote, to close the connection and again setup if requires. The other ends sends the TCP RST Ack. In contrast to the FIN , RST and RST Ack closes the connection in both the directions immediately. The TCP user application also informed about the reset, so that application is aware that there can be packet loss and will take actions accordingly.

Like
Luiz Henrique Silveira

CTO na BRASILINE TECNOLOGIA | Especialista Fortinet FCP | FCSS (NSE4, NSE5 e 2x NSE7) | Pós graduação em Gestão da Segurança da Informação
Report contribution
Ao ser definido, indica que o emissor finalizou o envio de dados e deseja iniciar o fechamento da conexão. No entanto, o uso do FIN não implica um fechamento imediato, permitindo que a comunicação continue na direção oposta até que ambas as partes tenham enviado e reconhecido os sinalizadores FIN. Esse mecanismo assegura que todos os dados transmitidos sejam devidamente recebidos e processados antes da liberação dos recursos da conexão, refletindo a natureza confiável e orientada à conexão do protocolo TCP.

Translated

Like

3 FIN flag process

The process of closing a TCP connection using the FIN flag is called the four-way handshake. It requires four steps to complete: the sender sends a segment with the FIN flag set to 1 and a sequence number x to the receiver, who then sends a segment with the ACK flag set to 1 and an acknowledgment number x+1 to the sender, as well as a segment with the FIN flag set to 1 and a sequence number y. The sender responds by sending a segment with the ACK flag set to 1 and an acknowledgment number y+1 to the receiver, and when both sides receive the ACK flags, the connection is closed.

Add your perspective

Luiz Henrique Silveira

CTO na BRASILINE TECNOLOGIA | Especialista Fortinet FCP | FCSS (NSE4, NSE5 e 2x NSE7) | Pós graduação em Gestão da Segurança da Informação
Report contribution
Este processo reflete o compromisso do TCP com a confiabilidade e a integridade dos dados, assegurando que todas as informações sejam adequadamente enviadas e reconhecidas antes de liberar os recursos da conexão. O uso cuidadoso dos números de sequência e confirmação durante este processo ajuda a prevenir a perda de dados e assegura que ambos os lados estejam sincronizados na conclusão da sessão. Este método de encerramento contribui para a robustez e a confiabilidade do protocolo TCP.

Translated

Like

4 FIN flag analysis

The FIN flag can be used to analyze the network traffic and identify the state and duration of TCP connections. By using tools such as Wireshark or tcpdump, you can capture and inspect the TCP header and flags of each packet. You can filter the packets by the FIN flag and see when and how the connections are terminated. You can also measure the time between the FIN and ACK flags to calculate the round-trip time (RTT) of the connection. The FIN flag can also help you detect anomalies or attacks on the network, such as FIN scans or FIN floods.

Add your perspective

5 FIN scan

A FIN scan is a type of port scanning technique that exploits the behavior of the FIN flag. A port scan is an attempt to discover open or closed ports on a target host by sending packets with different flags and observing the responses. A FIN scan sends packets with only the FIN flag set to 1 to the target ports. If the port is closed, the target host will respond with a RST flag, indicating that there is no connection to close. If the port is open, the target host will ignore the packet and send no response. By analyzing the responses or lack thereof, the attacker can infer the status of the ports.

Add your perspective

Sayed Faheem Qadry

Technology Focused | Business Transformation | Cybersecurity Advisory | Project Delivery Consultant
Report contribution
The FIN (Finish) flag in the TCP header is used to signal the end of a TCP connection. When a FIN packet is sent, it indicates that the sender has finished transmitting data and wants to close the connection. FIN scan analysis is a technique used in network security to probe target systems for open ports. Example, nmap utilizes the FIN flag during its scan by sending TCP packets with only the FIN flag set to target ports. It analyzes responses to these packets to determine the state of the port: a lack of response typically indicates the port is open or filtered, while a reset (RST) response indicates the port is closed.

Like

6 FIN flood

A FIN flood is a type of denial-of-service (DoS) attack that exploits the behavior of the FIN flag. A DoS attack is an attempt to overwhelm or disrupt a target host or network by sending a large number of packets or requests. A FIN flood sends packets with the FIN flag set to 1 to a target host, without establishing a proper TCP connection. The target host will allocate resources to process the packets and send ACK flags back, but will not receive any further packets from the attacker. The target host will keep the connection half-open until a timeout occurs, which can consume its memory and CPU resources and prevent legitimate connections.

Add your perspective

7 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

Add your perspective

What is the purpose of the FIN flag in TCP header?

1

2

3

4

5

6

7

1 TCP header and flags

2 FIN flag function

3 FIN flag process

4 FIN flag analysis

5 FIN scan

6 FIN flood

7 Here’s what else to consider

Network Security

Rate this article

Thanks for your feedback

More articles on Network Security

More relevant reading

What is the purpose of the FIN flag in TCP header?

1

2

3

4

5

6

7

1 TCP header and flags

2 FIN flag function

3 FIN flag process

4 FIN flag analysis

5 FIN scan

6 FIN flood

7 Here’s what else to consider

Network Security

Rate this article

Thanks for your feedback

Explore Other Skills