Detection of Network Responses Through Various Symptoms
We may receive following four types of states which can allow us to read response of the network connection, that whether it was accepted or why and where it was rejected, dropped or lost.
No Response – If no packet is received, then there is a chance that original packet have not reached its predefined destination IP address. Other chance is any security devices planted in between my have securely dropped the packet.
RST/ACK – If a RST/ACK packet is received, the packet was either rejected by the IP stack installed on the host, or by an security device (e.g. a Checkpoint reject) installed on host.
SYN/ACK – If a SYN/ACK is received, then the port from which the response was received may be open for connection.
ICMP type 13 – If an ICMP type 13 packet is received, then administrator on host has prohibited this type of connection. (High Level of Security) often a router will use this response to implement it’s ACL security policy.
So when we hping some FTP or TCP on any host we should receive ICMP or RST/ACK response. But if we are getting flagged RA response over hping, then it must be noted that any kind of security device is installed on in-between the port and intruder.
Such responses are very cleverly analyzed by ethical hackers to perform further scan and secure their systems with a black box.