TCP half-open
The term half-open refers to TCP connections whose state is out of synchronization between the two communicating hosts, possibly due to a crash of one side. A connection which is in the process of being established is also known as embryonic connection. The lack of synchronization could be due to malicious intent.
RFC 793
A TCP connection is referred to as half-open when the host at one end of that TCP connection has crashed, or has otherwise removed the socket without notifying the other end.[1] If the remaining end is idle, the connection may remain in the half-open state for unbounded periods of time.
Stateful Firewall Timeout
Another circumstance that can lead to half-open connections is if a stateful firewall times out a connection that is idle for too long. In this case, the firewall clears its internal state, and if either side of the connection sends a packet, the firewall will drop the packet. This will often result in a half-open connection as the two sides of the connection can end up with inconsistent connection states.
Embryonic connection
The term half-open connection can also be used to describe an embryonic connection, i.e. a TCP connection that is in the process of being established.
TCP has a three state system for opening a connection. First, the originating endpoint (A) sends a SYN packet to the destination (B). A is now in an embryonic state (specifically, SYN_SENT), and awaiting a response. B now updates its kernel information to indicate the incoming connection from A, and sends out a request to open a channel back (the SYN/ACK packet).
At this point, B is also in an embryonic state (specifically, SYN_RCVD). Note that B was put into this state by another machine, outside of B's control.
Under normal circumstances (see denial-of-service attack for deliberate failure cases), A will receive the SYN/ACK from B, update its tables (which now have enough information for A to both send and receive), and send a final ACK back to B.
Once B receives this final ACK, it also has sufficient information for two-way communication, and the connection is fully open. Both endpoints are now in an established state.
See also
References
- ^ Postel, J. (September 1981). Transmission Control Protocol (RFC). RFC. Internet Engineering Task Force. doi:10.17487/RFC0793.
External links
- Twingate. (n.d.). What is a TCP Half Open Scan?. Retrieved May 2, 2025, from [1](https://www.twingate.com/blog/glossary/tcp-half-open-scan)
- Palo Alto Networks. (n.d.). TCP Half Closed and TCP Time Wait Timers. Retrieved May 2, 2025, from [2](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/session-settings-and-timeouts/tcp/tcp-half-closed-and-tcp-time-wait-timers)
- Sanchit Gurukul. (n.d.). Understanding TCP Half-Open Connections. Retrieved May 2, 2025, from [3](https://sanchitgurukul.com/understanding-tcp-half-open-connections)