The term half-open refers to
TCP connections whose state is out of synchronization between the two communicating hosts, possibly due to a crash of one side. A connection which is in the process of being established is also known as embryonic connection. The lack of synchronization could be due to
malicious intent.
RFC 793
According t
RFC 793 a TCP connection is referred to as ''half-open'' when the host at one end of that TCP connection has crashed, or has otherwise removed the socket without notifying the other end. If the remaining end is idle, the connection may remain in the half-open state for unbounded periods of time.
Stateful Firewall Timeout
Another circumstance that can lead to half-open connections is if a
stateful firewall
In computing, a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature often used in n ...
times out a connection that is idle for too long. In this case, the firewall clears its internal state, and if either side of the connection sends a packet, the firewall will drop the packet. This will often result in a half-open connection as the two sides of the connection can end up with inconsistent connection states.
Embryonic connection
The term ''half-open connection'' can also be used to describe an embryonic connection, i.e. a
TCP connection that is in the process of being established.
TCP has a
three state system for opening a connection. First, the originating endpoint (A) sends a
SYN packet to the destination (B). A is now in an embryonic state (specifically, SYN_SENT), and awaiting a response. B now updates its kernel information to indicate the incoming connection from A, and sends out a request to open a channel back (the
SYN/ACK packet).
At this point, B is also in an embryonic state (specifically, SYN_RCVD). Note that B was put into this state by another machine, outside of B's control.
Under normal circumstances (see
denial-of-service attack
In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host co ...
for deliberate failure cases), A will receive the SYN/ACK from B, update its tables (which now have enough information for A to both send and receive), and send a final ACK back to B.
Once B receives this final ACK, it also has sufficient information for two-way communication, and the connection is fully open. Both endpoints are now in an established state.
See also
*
SYN flood
A SYN flood is a form of denial-of-service attack on data communications in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, wh ...
*
SYN cookies
*
Stateful firewall
In computing, a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering, is a security feature often used in n ...
References
*Twingate. (n.d.). ''What is a TCP Half Open Scan?''. Retrieved May 2, 2025, fro
https://www.twingate.com/blog/glossary/tcp-half-open-scan)
*Palo Alto Networks. (n.d.). ''TCP Half Closed and TCP Time Wait Timers''. Retrieved May 2, 2025, fro
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/session-settings-and-timeouts/tcp/tcp-half-closed-and-tcp-time-wait-timers)
*Sanchit Gurukul. (n.d.). ''Understanding TCP Half-Open Connections''. Retrieved May 2, 2025, fro
https://sanchitgurukul.com/understanding-tcp-half-open-connections)
Transmission Control Protocol, Half-Open
{{refend
External links
Transmission Control Protocol DARPA Internet Program Protocol Specification