{{Short description|TCP connection state}} {{More citations needed|date=March 2026}} The term '''half-open''' refers to TCP connections whose state is out of synchronization between the two communicating hosts, possibly due to a crash of one side. A connection which is in the process of being established is also known as '''embryonic connection'''. The lack of synchronization could be due to malicious intent.
== RFC 793 == A TCP connection is referred to as ''half-open'' when the host at one end of that TCP connection has crashed, or has otherwise removed the socket without notifying the other end.<ref>{{Cite IETF |author=Postel, J. |title=Transmission Control Protocol |type=RFC |number=793 |series=RFC |date=September 1981 |doi=10.17487/RFC0793 |publisher=Internet Engineering Task Force }}</ref> If the remaining end is idle, the connection may remain in the half-open state for unbounded periods of time.
== Stateful Firewall Timeout == Another circumstance that can lead to half-open connections is if a stateful firewall times out a connection that is idle for too long. In this case, the firewall clears its internal state, and if either side of the connection sends a packet, the firewall will drop the packet. This will often result in a half-open connection as the two sides of the connection can end up with inconsistent connection states.
== Embryonic connection == The term ''half-open connection'' can also be used to describe an '''embryonic connection''', i.e. a TCP connection that is in the process of being established.
TCP has a three state system for opening a connection. First, the originating endpoint (A) sends a SYN packet to the destination (B). A is now in an embryonic state (specifically, SYN_SENT), and awaiting a response. B now updates its kernel information to indicate the incoming connection from A, and sends out a request to open a channel back (the SYN/ACK packet).
At this point, B is also in an embryonic state (specifically, SYN_RCVD). Note that B was put into this state by another machine, outside of B's control.
Under normal circumstances (see denial-of-service attack for deliberate failure cases), A will receive the SYN/ACK from B, update its tables (which now have enough information for A to both send and receive), and send a final ACK back to B.
Once B receives this final ACK, it also has sufficient information for two-way communication, and the connection is fully open. Both endpoints are now in an established state.
== See also == * SYN flood * SYN cookies * Stateful firewall
== References == {{reflist}}
== External links == *Twingate. (n.d.). ''What is a TCP Half Open Scan?''. Retrieved May 2, 2025, from [https://www.twingate.com/blog/glossary/tcp-half-open-scan](https://www.twingate.com/blog/glossary/tcp-half-open-scan) *Palo Alto Networks. (n.d.). ''TCP Half Closed and TCP Time Wait Timers''. Retrieved May 2, 2025, from [https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/session-settings-and-timeouts/tcp/tcp-half-closed-and-tcp-time-wait-timers](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/session-settings-and-timeouts/tcp/tcp-half-closed-and-tcp-time-wait-timers) *Sanchit Gurukul. (n.d.). ''Understanding TCP Half-Open Connections''. Retrieved May 2, 2025, from [https://sanchitgurukul.com/understanding-tcp-half-open-connections](https://sanchitgurukul.com/understanding-tcp-half-open-connections)
Half-Open