Which statement best describes the meaning of a TCP SYN scan being 'half-open'?

• A. It completes the full TCP three-way handshake before scanning
• B. It uses UDP and ICMP only
• C. It does not complete the TCP three-way handshake
• D. It injects malware into packets

Answer: (C)

Half-open means the handshake is never completed. In TCP, a normal connection uses three steps: SYN, SYN-ACK, then ACK to establish it. A SYN scan sends a SYN to a port and watches the response. If the port is open, the host replies with SYN-ACK, but the scanner does not send the final ACK; it often tears the connection down with a reset. If the port is closed, the host typically replies with a reset to the SYN. Because the final step of establishing a full connection is never performed, the connection remains half-open. This method lets you determine port status without fully opening TCP sessions, making it faster and less conspicuous. The other statements either reference different protocols, claim a full handshake, or describe actions unrelated to the scan.