Is a FIN only segment legal? It would be convenient to mark TCP segments with just the FIN flag set, as an intrusion (without tracking the reply). I have always assumed that a FIN without an ACK, while rude and rare,...--prophetes.ai

Is a FIN only segment legal? It would be convenient to mark TCP segments with just the FIN flag set, as an intrusion (without tracking the reply). I have always assumed that a FIN without an ACK, while rude and rare, is legal, based on connection termination. But then I read statements such as "A FIN will _never_ appear by itself which is why Cisco's "established" keyword filters on ACK and/or RST packets. Only FIN/ACK is valid." 1. Is a FIN only segment legal? 2. If so, where might I encounter one and why?

All the research of half an hour says that FIN-only is never legitimate.

<

> Packets should never contain just a FIN flag. FIN packets are frequently used for port scans, network mapping and other stealth activities.

<

> Send an unsolicited ACK to an open or closed port and you will get back a plain RST. A FIN will _never_ appear by itself which is why Cisco's "established" keyword filters on ACK and/or RST packets. Only FIN/ACK is valid.

Other Stack Exchange sites, such as < possibly < might be better in the context of discussing IDS/IPS topics.

**EDIT:**

(With tip'o'the hat to Ron Maupin, see his comment): The TCP RFC does _not_ (edited, it must've been late...) explicitely state that a FIN only packet is illegal nor that a FIN flag MUST be accompanied by another flag. Still, a FIN only packet in a modern day network is something unusual, quite possibly intentional, this probably worth looking at and for.