top of page


Have You Ever Heard of Christmas Scan?

Speaking of December, there's Christmas. It's been a long time since Santa stopped visiting me, but the glittering cityscapes this time of year have a certain charm, don't they?

As the title suggests, there's something Christmas-related in IT too. Have you ever heard of a "Christmas (Tree) Scan"? It's a name for a type of network attack. There are all sorts of interesting jargon among techies.

This time, I want to write a bit about this Christmas Scan.

What is a Christmas Scan?

There are various names for it, like Christmas Scan or Christmas Tree Attack. It all comes down to the control flags in packets. Attackers typically use stealth scanning methods for port scanning to avoid detection, and this is one of those methods.

In packets (talking about TCP here), there's a 6-bit section for control flags, which are used to control connections. You might be familiar with ACK and SYN flags. The Christmas Scan uses three of these flags:

URG (Urgent) - Indicates the data needs to be processed urgently (as a priority).

PSH (Push) - Tells the system to pass the data immediately to the upper layers without buffering.

RST (Reset) - Forces to disconnect.

You might not be familiar with these flags, except for RST. The Christmas Scan involves setting these three flags to '1' and sending it as the initial packet to observe the target's response.

Why ‘Christmas’?

As mentioned, it's because all three flags are set. But you might wonder what it has to do with Christmas. Actually, you need to capture the packet and visualize it with a tool like Wireshark.

The flags part is colourful. Additionally, the structure of the flags resembles the right half of a tree, sort of a conical shape. So, it looks like a decorated tree.

⬇ Like this

Do you see it?

Why could this be an attack?

It's more of a type of port scan than an attack, so it's more accurate to say it's 'preparation for an attack'.

As you know, TCP packets usually follow a 3-way handshake sequence like SYN ACK FIN. But what happens if a packet outside of this state sequence arrives?

If the corresponding port is open:

The behavior varies depending on the OS, but generally, if it's not something like SYN, and the port is open, there's usually no response. The lack of response indicates that the port is open, which can be easily known by a third party.

If the corresponding port is not open:

In this case, since it's unauthorized, an RST packet is typically returned. However, this also lets the sender know the port is closed.

Interestingly, in Windows, it seems to respond with RST regardless of whether it's open or closed, potentially revealing the OS. Also, depending on the Firewall or UTM, the behavior, like whether to throw an RST or not, can vary. So, combined with other attacks, there's a risk that open ports might be revealed.

This blog post is translated from a blog post written by Kawa Ken on our Japanese website Beyond Co..

bottom of page