- Joined
- Jun 13, 2020
- Messages
- 8,001
- Reaction score
- 966
- Points
- 212
- Awards
- 2
An XMAS scan (also spelled XMAS or Christmas tree scan) is a variety of TCP port scan in which the attacker transmits TCP packets that have an atypical flag combination that is traditionally FIN, PSH, and URG. The header appears to be light with flags similar to a decorated Christmas tree, and the name.
It’s not an exploit by itself. The XMAS scan is a reconnaissance method that seeks to know whether a target host has open, closed or filtered TCP ports by observing target behavior (response or lack thereof) with respect to those weirdly-flagged probes.
The principle of XMAS scan (conceptual description)
TCP packets contain the control flags ( SYN, ACK, FIN, RST, PSH, URG, etc.) to control connections. Ordinary communications consist of foreseeable flag patterns (e.g., SYN at the start of a connection). A packet that is deliberately sent with many seldom-used flags (FIN + PSH + URG) is used in an XMAS scan.
The method is based on the differences in behavior implemented into TCP/IP stacks and on the host response to non-standard packets:
Closure of ports (on most traditional TCP stacks) will respond with a RST (reset) packet.
Open ports typically treat such unexpected packets (no reply) as if they do not exist at all, i.e. as an indication that it is most probably open according to traditional XMAS logic.
Ambiguity also exists since filtered ports (blocked by a firewall) can also not result in a reply.
Critical caveat: today operating systems, middleboxes, firewalls, and intrusion detection systems have altered the way stacks operate - that is, XMAS scan results are not as good as they used to be in the older networks.
Why would an XMAS scan be used by the attackers?
The stealth and OS-fingerprinting benefits are the main goals targeted by an attacker:
Stealth: Certain legacy IDS/firewall signatures were searching for visible SYN scanners. Very primitive filters can sometimes pass odd combinations of flags, or can show hosts that react in a teller fashion.
Fingerprinting: Various OS implementations respond differently to malformed packets; these responses may be used to infer what the OS or network stack is.
But with modern defensive tooling and stateful firewalls and hardened TCP/IP stacks, XMAS scans are no longer as useful in real-world attack.
Caution: Restrictions and dependability in 2025.
Ambiguity: The silence may imply either an open or a filtered, that is, there are mistakes made in its interpretation.
New stacks: New OSes and cloud networks based on modern stacks may result in new responses to old RFC-based expectations. Others will reply to strange packets with RSTs, ICMP messages or drop the packets altogether.
Firewalls/proxies: Stateful firewalls, network middleboxes, and load balancers Stateful firewalls, network middleboxes, and cloud load balancers radically modify responses; they frequently block, rate-limit, or normalize response.
Detection risk: Modern IDS/EDR-based systems and netflow analytics are often able to issue warnings on these out-of-band packets, which means that the scan is no longer as covert as it used to be.
Due to these elements, XMAS scans are more of a historical curiosity and one of the tools among the many; it is not reliable when used as an independent tool.
The way defenders can identify and react.
You do not have to understand the packet flags in and out to secure your systems, but instead, focus on detection, containment and hardening:
1. Record and track abnormal packets.
Make sure that packet capture, netflow or connection logs are sent to your SIEM. Seek irregular combinations of TCP flags.
Listening to a single source, repeated probes across numerous destination ports.
2. Application-aware stateful firewalls.
Stateful firewalls of today reject odd or not well-formed TCP packets and block scanning patterns. They further associate TCP states to thwart naive scanning methods.
3. Rate-limit and geo-fence
Implement connection attempts rate limiting and block suspicious geolocations as necessary to your business. This limits the effectiveness of scanning.
4. IDS/IPS & anomaly detection
Set up IDS/IPS (and cloud-native security controls) to raise alarms on packets in which FIN+PSH+URG all (or other combinations of odd flags) are common. Numerous systems have default signatures of Xmas/NULL/FIN scans.
5. Harden OS network stacks
Use vendor hardening recommendations and prompt OS/network stack updates - currently many modern kernels have mitigation that causes XMAS logic to be unreliable to attackers.
6. Deploy honeypots / deception
Low-interaction honeypots can also identify scanners and even give information on scanning behaviour without jeopardizing production systems.
7. Incident playbook
Plan ahead: when packets were detected capture packet captures, block malicious IP addresses at the edge and determine whether probes were reconnaissance to run a targeted campaign.
ℂ Logs of XMAS scan (high level)
Patterns that you can observe include: (many) short-lived TCP packets to many destination ports on a single sender IP; packet flags of FIN+PSH+URG or other similar; low payload size; and sometimes no reply, and sometimes RSTs. Associate with other telemetry (attempts at failure to log in, web scanner signatures, or anomalies reported by the user) before reaching a conclusion of malicious intent.
(Hopefully, forward packet captures to your SOC or forensic team to do further analysis)
�� wp. Legal and ethical aspects.
Port scanning is two-fold: legitimate security teams scan networks that they own, or by authority to determine exposure, and attackers scan to determine vulnerabilities. Scanning systems without authorization or without authorization to test them may be unlawful in numerous jurisdictions and cause civil or criminal liability. A written approval (a scope and rules of engagement) should always be received prior to conducting any security scans.
In case you want to learn, you can use legal labs (TryHackMe, Hack The Box, VulnHub), formal penetration-testing exercises, or capture-the-flag.
Educational implications on network owners.
Take XMAS scans as an indicator of many - not of compromise.
Harden network edges: Stateful firewalls and modern IDS/IPS.
Watch non-standard TCP flag combinations and fast port probing.
Maintain systems and adhere to vendor hardening recommendations.
Implement playbooks on incident response, which incorporate reconnaissance detection, evidence capture, and legal/forensic escalation.
It’s not an exploit by itself. The XMAS scan is a reconnaissance method that seeks to know whether a target host has open, closed or filtered TCP ports by observing target behavior (response or lack thereof) with respect to those weirdly-flagged probes.
The principle of XMAS scan (conceptual description)TCP packets contain the control flags ( SYN, ACK, FIN, RST, PSH, URG, etc.) to control connections. Ordinary communications consist of foreseeable flag patterns (e.g., SYN at the start of a connection). A packet that is deliberately sent with many seldom-used flags (FIN + PSH + URG) is used in an XMAS scan.
The method is based on the differences in behavior implemented into TCP/IP stacks and on the host response to non-standard packets:
Closure of ports (on most traditional TCP stacks) will respond with a RST (reset) packet.
Open ports typically treat such unexpected packets (no reply) as if they do not exist at all, i.e. as an indication that it is most probably open according to traditional XMAS logic.
Ambiguity also exists since filtered ports (blocked by a firewall) can also not result in a reply.
Critical caveat: today operating systems, middleboxes, firewalls, and intrusion detection systems have altered the way stacks operate - that is, XMAS scan results are not as good as they used to be in the older networks.
Why would an XMAS scan be used by the attackers?The stealth and OS-fingerprinting benefits are the main goals targeted by an attacker:
Stealth: Certain legacy IDS/firewall signatures were searching for visible SYN scanners. Very primitive filters can sometimes pass odd combinations of flags, or can show hosts that react in a teller fashion.
Fingerprinting: Various OS implementations respond differently to malformed packets; these responses may be used to infer what the OS or network stack is.
But with modern defensive tooling and stateful firewalls and hardened TCP/IP stacks, XMAS scans are no longer as useful in real-world attack.
Caution: Restrictions and dependability in 2025.
Ambiguity: The silence may imply either an open or a filtered, that is, there are mistakes made in its interpretation.
New stacks: New OSes and cloud networks based on modern stacks may result in new responses to old RFC-based expectations. Others will reply to strange packets with RSTs, ICMP messages or drop the packets altogether.
Firewalls/proxies: Stateful firewalls, network middleboxes, and load balancers Stateful firewalls, network middleboxes, and cloud load balancers radically modify responses; they frequently block, rate-limit, or normalize response.
Detection risk: Modern IDS/EDR-based systems and netflow analytics are often able to issue warnings on these out-of-band packets, which means that the scan is no longer as covert as it used to be.
Due to these elements, XMAS scans are more of a historical curiosity and one of the tools among the many; it is not reliable when used as an independent tool.
The way defenders can identify and react.You do not have to understand the packet flags in and out to secure your systems, but instead, focus on detection, containment and hardening:
1. Record and track abnormal packets.
Make sure that packet capture, netflow or connection logs are sent to your SIEM. Seek irregular combinations of TCP flags.
Listening to a single source, repeated probes across numerous destination ports.
2. Application-aware stateful firewalls.
Stateful firewalls of today reject odd or not well-formed TCP packets and block scanning patterns. They further associate TCP states to thwart naive scanning methods.
3. Rate-limit and geo-fence
Implement connection attempts rate limiting and block suspicious geolocations as necessary to your business. This limits the effectiveness of scanning.
4. IDS/IPS & anomaly detection
Set up IDS/IPS (and cloud-native security controls) to raise alarms on packets in which FIN+PSH+URG all (or other combinations of odd flags) are common. Numerous systems have default signatures of Xmas/NULL/FIN scans.
5. Harden OS network stacks
Use vendor hardening recommendations and prompt OS/network stack updates - currently many modern kernels have mitigation that causes XMAS logic to be unreliable to attackers.
6. Deploy honeypots / deception
Low-interaction honeypots can also identify scanners and even give information on scanning behaviour without jeopardizing production systems.
7. Incident playbook
Plan ahead: when packets were detected capture packet captures, block malicious IP addresses at the edge and determine whether probes were reconnaissance to run a targeted campaign.
ℂ Logs of XMAS scan (high level)
Patterns that you can observe include: (many) short-lived TCP packets to many destination ports on a single sender IP; packet flags of FIN+PSH+URG or other similar; low payload size; and sometimes no reply, and sometimes RSTs. Associate with other telemetry (attempts at failure to log in, web scanner signatures, or anomalies reported by the user) before reaching a conclusion of malicious intent.
(Hopefully, forward packet captures to your SOC or forensic team to do further analysis)
�� wp. Legal and ethical aspects.
Port scanning is two-fold: legitimate security teams scan networks that they own, or by authority to determine exposure, and attackers scan to determine vulnerabilities. Scanning systems without authorization or without authorization to test them may be unlawful in numerous jurisdictions and cause civil or criminal liability. A written approval (a scope and rules of engagement) should always be received prior to conducting any security scans.
In case you want to learn, you can use legal labs (TryHackMe, Hack The Box, VulnHub), formal penetration-testing exercises, or capture-the-flag.
Educational implications on network owners.Take XMAS scans as an indicator of many - not of compromise.
Harden network edges: Stateful firewalls and modern IDS/IPS.
Watch non-standard TCP flag combinations and fast port probing.
Maintain systems and adhere to vendor hardening recommendations.
Implement playbooks on incident response, which incorporate reconnaissance detection, evidence capture, and legal/forensic escalation.
