We have an epidemic of port scanning occurring on the Internet now. The port scanning tools are so fast, robust and widely available that if you have devices on the Internet right now, they probably have been scanned already. What are the different types of port scans, how worried should you be and what can you do about it?
Port scanning is the technique of attempting to find listening TCP or UDP ports on an IP device and abstracting from the listening ports as much information as possible about the device. Port scanning in and of itself is not usually harmful but it lets potential crackers fingerprint your systems, learn everything they can about your possible vulnerabilities and set themselves up for a later intrusion. For example, if a port scan shows that the device is listening on port 23, the cracker knows that Telnet is likely enabled on the device and can attempt a brute force password guessing attack later.
Like much of the security industry, it has become a virtual arms race between the best crackers and intrusion-detection vendors in detecting port scans. Port scanning techniques have become very sophisticated, in part by creating and transmitting unusual TCP/IP packets and sequences. While firewalls and intrusion-detection software are generally very good at detecting and blocking port scans using normal packets and sequences, not all TCP/IP stacks perform the same error handling for malformed packets. This can lead to avoiding detection or even leaving the device in an unstable state. Here are some of the scanning techniques hackers are using, which you can use as a checklist to make sure your security software is catching probes of your network:
Basic scanning - This uses TCP connect to attempt to open a connection to a specific port on the host system. This type of scan should be detected by your target systems, and is the type scan used by a "script kiddie." At a minimum, your firewall should detect several connection attempts from a basic scan and should provide appropriate logging and countermeasures.
Stealth scanning - Some unique scanning techniques exist to test for open ports on a targeted system without being logged and thus escape the notice of the systems administrator. TCP SYN and FIN scanning are techniques that evade many but not necessarily all detection systems. SYN scanning is a technique whereby you do not complete the connection to an open port, so hosts will quite often not log the attempt, even though they divulged an open port. Normally, one opens up a TCP connection as follows:
Client => SYN => Host
Client <= SYN|ACK (if open) or RST (if closed) <= Host
Client => ACK => Host
With a SYN, or "half open" scan, rather than sending an ACK to complete the connection, the client can send an RST, which will cause most hosts to avoid logging the attempt. The famous SYN denial of service attacks in the past used the technique of sending volumes of SYN packets to a target, without sending the proper ACK response, to consume resources with "half open" connections.
The other stealth techniques use FIN, NULL or XMAS packets in the opposite fashion. Sending these types of packets to a closed port on the target will result in an RST response, while an open port will drop these packets. By identifying the closed ports, the open ports can then be extrapolated.
Slow scanning - Many port scans are detected due to the fact that several packets are sent in a very short period of time. By sending as little as a packet or two a day, often from different source addresses, it is virtually impossible to detect slow scans without also having a number of false positives. Sophisticated data mining of log files is needed to have a chance at finding these attempts.
Fragmentation scanning - This is a very inventive scanning technique, which also can have very unpredictable results. The stealth scanning techniques transmit normal TCP packets using abnormal sequencing to avoid detection. This technique creates abnormally small TCP packets by splitting the TCP header into fragments. Some IP stacks can reassemble this normally, some let these packets sneak through and others simply crash.
UDP scanning - This has traditionally been harder to perform, because open UDP ports are not required to send an ACK. However, there may be several UDP-based applications we are interested in discovering and disabling (just look at /etc/services). Ingeniously, the UDP scanning works by testing for closed ports, as hosts will send an ICMP_PORT_UNREACH error when packets are sent to closed UDP ports. Again, open ports are learned by extrapolation.
Ident scanning - The ident protocol reveals the owner of services running via TCP. Attackers can query identd on your system to find which user privileges a process is running under. By doing this, they may find daemons running as root, which would be more attractive targets to attempt buffer overflow attacks against.
What can be done about port scan attempts? Are they illegal? Most scanning attempts are not much more than pings and are analogous to a bank robber casing the local branch. No crime has been committed yet. Even a fragmentation scan that crashes a device is not likely to reveal clues about who did it and provide legal recourse. ISPs are generally unaware of port scans originating from their networks, but will often try to track down and cancel accounts of users if you can provide fairly detailed information out of your log files for them. However, it is pretty easy for the attacker to move on and attack you from another location, even an address of an innocent third party. It is good to be on guard for port scans as an early warning sign of an attack. However, you can't prevent the port scan itself, and it is probably the best use of your resources to secure your systems as much as possible, so the scanner does not find an attractive target.
Hacker-thwarting tools to abound at N+I show
Network World, 05/03/99
Network Ice to put the freeze on hackers
Network World, 04/12/99
Hacker arsenals feature new weapons
Network World, 03/22/99
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.