My router is reporting multiple and periodic occurrences of probing by brute force. As far as I know, all ports are stealth. Should I be alarmed by this activity?
What you are seeing is your router recording port requests from a scanner. Port scanning is one of the most popular information gathering methods hackers use. Unfortunately, it is very easy to perform and all Internet-connected devices will be probed at some point.
Port scanners are software that identifies which ports and services are open on an Internet-connected device. The scanner sends a connection request to the target computer on all 65536 ports, and records which ports respond and how. The type of response received indicates whether the port is in use. The general objective of a port scan is to map out the system's operating system and the applications and services it is running. A hacker can then test for vulnerabilities within the applications and plan an attack. So, how can you protect against port scans?
Your firewall can reply to a port scan in three ways: Open, closed or no response. If a port is open, or listening, it will respond to the request. A closed port will respond with a message indicating that it received the open request, but denied it. This way, when a genuine system sends an open request, it knows the request was received and there's no need to keep retrying. However, this response also reveals that there is a computer behind the IP address scanned, and therefore, the third option is to not respond to the request at all. In this case, if a port is blocked or in "stealth mode," the firewall will not respond to the port scanner. Interestingly however, blocked ports actually violate the TCP/IP rules of conduct and therefore, your firewall has to suppress the computer's closed port replies. You may find that your firewall has not blocked all of your ports anyway. For example, if port 113, used by the Identification Protocol, is completely blocked, connections to some remote Internet servers, such as Internet Relay Chat (IRC), may be delayed or denied altogether. For this reason, many firewalls set port 113 to "closed" instead of blocking it completely.
Additionally, some firewalls now use "adaptive behavior," which means they will block previously open and closed ports if a suspect IP address is probing them. They can also be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. However, hackers can get around this protection by conducting the port scan in strobe or stealth mode. In strobe mode, hackers can only scan a small number of ports at a time, but in stealth mode, they can scan the ports over a much longer period, which reduces the chance that the firewall will trigger an alert.
In order to decide whether your computer is at risk, you should find out what an attacker would see in a port scan of your router. You could do this using Nmap, a free port scanner that hackers often use. Once you find out what ports respond as being open on your computer, you can review whether it's actually necessary for those ports to be accessible from outside your network. If they're not necessary, you should shut them down or block them. If they are necessary, you can begin to research what sorts of vulnerabilities and exploits your network is open to and apply the appropriate patches to protect your network.
Dig deeper on Network Behavior Anomaly Detection (NBAD)
Related Q&A from Michael Cobb
Expert Michael Cobb explains how password change frequency and reuse for third-party apps should be addressed in enterprise password policies.continue reading
Learn how a Web-based free spam-filtering service can secure email and prevent spam from attacking your enterprise.continue reading
Do you know some of the best third-party patch deployment tools? See expert Michael Cobb's recommendations on which tools would work best for your ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.