Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
/

Are you safe from scanning?

Jim Reavis
Network World on Security, 09/08/99

We have an epidemic of port scanning occurring on the Internet now. The port scanning tools are so fast, robust and widely available that if you have devices on the Internet right now, they probably have been scanned already. What are the different types of port scans, how worried should you be and what can you do about it?

Port scanning is the technique of attempting to find listening TCP or UDP ports on an IP device and abstracting from the listening ports as much information as possible about the device. Port scanning in and of itself is not usually harmful but it lets potential crackers fingerprint your systems, learn everything they can about your possible vulnerabilities and set themselves up for a later intrusion. For example, if a port scan shows that the device is listening on port 23, the cracker knows that Telnet is likely enabled on the device and can attempt a brute force password guessing attack later.

Like much of the security industry, it has become a virtual arms race between the best crackers and intrusion-detection vendors in detecting port scans. Port scanning techniques have become very sophisticated, in part by creating and transmitting unusual TCP/IP packets and sequences. While firewalls and intrusion-detection software are generally very good at detecting and blocking port scans using normal packets and sequences, not all TCP/IP stacks perform the same error handling for malformed packets. This can lead to avoiding detection or even leaving the device in an unstable state. Here are some of the scanning techniques hackers are using, which you can use as a checklist to make sure your security software is catching probes of your network:

Basic scanning - This uses TCP connect to attempt to open a connection to a specific port on the host system. This type of scan should be detected by your target systems, and is the type scan used by a "script kiddie." At a minimum, your firewall should detect several connection attempts from a basic scan and should provide appropriate logging and countermeasures.

Stealth scanning - Some unique scanning techniques exist to test for open ports on a targeted system without being logged and thus escape the notice of the systems administrator. TCP SYN and FIN scanning are techniques that evade many but not necessarily all detection systems. SYN scanning is a technique whereby you do not complete the connection to an open port, so hosts will quite often not log the attempt, even though they divulged an open port. Normally, one opens up a TCP connection as follows:

Client => SYN => Host
Client <= SYN|ACK (if open) or RST (if closed) <= Host
Client => ACK => Host

With a SYN, or "half open" scan, rather than sending an ACK to complete the connection, the client can send an RST, which will cause most hosts to avoid logging the attempt. The famous SYN denial of service attacks in the past used the technique of sending volumes of SYN packets to a target, without sending the proper ACK response, to consume resources with "half open" connections.

The other stealth techniques use FIN, NULL or XMAS packets in the opposite fashion. Sending these types of packets to a closed port on the target will result in an RST response, while an open port will drop these packets. By identifying the closed ports, the open ports can then be extrapolated.

Slow scanning - Many port scans are detected due to the fact that several packets are sent in a very short period of time. By sending as little as a packet or two a day, often from different source addresses, it is virtually impossible to detect slow scans without also having a number of false positives. Sophisticated data mining of log files is needed to have a chance at finding these attempts.

Fragmentation scanning - This is a very inventive scanning technique, which also can have very unpredictable results. The stealth scanning techniques transmit normal TCP packets using abnormal sequencing to avoid detection. This technique creates abnormally small TCP packets by splitting the TCP header into fragments. Some IP stacks can reassemble this normally, some let these packets sneak through and others simply crash.

UDP scanning - This has traditionally been harder to perform, because open UDP ports are not required to send an ACK. However, there may be several UDP-based applications we are interested in discovering and disabling (just look at /etc/services). Ingeniously, the UDP scanning works by testing for closed ports, as hosts will send an ICMP_PORT_UNREACH error when packets are sent to closed UDP ports. Again, open ports are learned by extrapolation.

Ident scanning - The ident protocol reveals the owner of services running via TCP. Attackers can query identd on your system to find which user privileges a process is running under. By doing this, they may find daemons running as root, which would be more attractive targets to attempt buffer overflow attacks against.

What can be done about port scan attempts? Are they illegal? Most scanning attempts are not much more than pings and are analogous to a bank robber casing the local branch. No crime has been committed yet. Even a fragmentation scan that crashes a device is not likely to reveal clues about who did it and provide legal recourse. ISPs are generally unaware of port scans originating from their networks, but will often try to track down and cancel accounts of users if you can provide fairly detailed information out of your log files for them. However, it is pretty easy for the attacker to move on and attack you from another location, even an address of an innocent third party. It is good to be on guard for port scans as an early warning sign of an attack. However, you can't prevent the port scan itself, and it is probably the best use of your resources to secure your systems as much as possible, so the scanner does not find an attractive target.

RELATED LINKS

Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. SecurityPortal.com is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at jreavis@securityportal.com.

SecurityPortal.com Scanner & Assessment Tools listing

The Art of Port Scanning

Hacker-thwarting tools to abound at N+I show
Network World, 05/03/99

Network Ice to put the freeze on hackers
Network World, 04/12/99

Hacker arsenals feature new weapons
Network World, 03/22/99

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.