How to protect against port scans

BROWSE BY TAG Platform Security,   Network Intrusion Detection and Analysis,   Network Behavior Anomaly Detection (NBAD),   Enterprise Network Security,   Monitoring Network Traffic and Network Forensics,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security Should developers create libraries of common cryptographic algorithms? How to secure USB ports on Windows machines What is the best database patch management process? What is an encryption collision? What are new and commonly used public-key cryptography algorithms? Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Should businesses delay Windows Vista adoption and just buy Windows 7? Why should we place data files on a separate partition than the OS? Should Windows Mobile updates come from Microsoft? Network Behavior Anomaly Detection (NBAD) Trend Micro to acquire Third Brigade for virtualization, cloud security Use BotHunter for botnet detection Is centralized logging worth all the effort? How helpful is the centralized logging of network flow data? Can reputation services be applied to network security? SIM and NBA product combination is powerful Can network behavior anomaly detection (NBAD) products stop rootkits? Sourcefire, Nmap deal to open vulnerability scanning Sourcefire expands strategy in effort to leverage its network real estate Combining NetFlow analysis with security information management systems Monitoring Network Traffic and Network Forensics Botnet masters turn to Google, social networks to avoid detection Preventing SQL injection attacks: A network admin's perspective Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Chained Exploits: How to prevent phishing attacks from corporate spies

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary network behavior analysis  (SearchSecurity.com) network behavior anomaly detection  (SearchSecurity.com) nonce  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

What you are seeing is your router recording port requests from a scanner. Port scanning is one of the most popular information gathering methods hackers use. Unfortunately, it is very easy to perform and all Internet-connected devices will be probed at some point.

Port scanners are software that identifies which ports and services are open on an Internet-connected device. The scanner sends a connection request to the target computer on all 65536 ports, and records which ports respond and how. The type of response received indicates whether the port is in use. The general objective of a port scan is to map out the system's operating system and the applications and services it is running. A hacker can then test for vulnerabilities within the applications and plan an attack. So, how can you protect against port scans?

Your firewall can reply to a port scan in three ways: Open, closed or no response. If a port is open, or listening, it will respond to the request. A closed port will respond with a message indicating that it received the open request, but denied it. This way, when a genuine system sends an open request, it knows the request was received and there's no need to keep retrying. However, this response also reveals that there is a computer behind the IP address scanned, and therefore, the third option is to not respond to the request at all. In this case, if a port is blocked or in "stealth mode," the firewall will not respond to the port scanner. Interestingly however, blocked ports actually violate the TCP/IP rules of conduct and therefore, your firewall has to suppress the computer's closed port replies. You may find that your firewall has not blocked all of your ports anyway. For example, if port 113, used by the Identification Protocol, is completely blocked, connections to some remote Internet servers, such as Internet Relay Chat (IRC), may be delayed or denied altogether. For this reason, many firewalls set port 113 to "closed" instead of blocking it completely.

Additionally, some firewalls now use "adaptive behavior," which means they will block previously open and closed ports if a suspect IP address is probing them. They can also be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. However, hackers can get around this protection by conducting the port scan in strobe or stealth mode. In strobe mode, hackers can only scan a small number of ports at a time, but in stealth mode, they can scan the ports over a much longer period, which reduces the chance that the firewall will trigger an alert.

In order to decide whether your computer is at risk, you should find out what an attacker would see in a port scan of your router. You could do this using Nmap, a free port scanner that hackers often use. Once you find out what ports respond as being open on your computer, you can review whether it's actually necessary for those ports to be accessible from outside your network. If they're not necessary, you should shut them down or block them. If they are necessary, you can begin to research what sorts of vulnerabilities and exploits your network is open to and apply the appropriate patches to protect your network.

For More Information