GIAC Certified Incident Handler (GCIH) — Question 189

In the network logs there are ACK/FIN/PSH/URG packets from a host going to a closed port, and SYN/FIN/URG/PSH packets going to open ports. What is the host likely doing?

Answer options

• A. Active OS fingerprinting
• B. Host discovery
• C. Passive OS fingerprinting
• D. IDS evasion

Correct answer: B

Explanation

The correct answer is B, as the behavior described indicates that the host is performing host discovery by sending packets to identify which ports are open on a device. The other options do not accurately represent this activity; Active OS fingerprinting (A) involves probing for OS details, Passive OS fingerprinting (C) is about analyzing traffic without active probing, and IDS evasion (D) refers to techniques used to avoid detection by intrusion detection systems.