Port scans, which are used to determine if ports on a network are open to receive packets from other devices, can be beneficial to security teams to help shore up defenses. But the process can also be used by malicious actors trying to find vulnerable ports to attack.
Before digging into what port scan attacks are and how to prevent and defend against them, let's look at what ports and port scanning are.
A port is a communication endpoint through which units of data, known as packets, flow. Transport layer protocols use port numbers to communicate and exchange packets. The most well-known transport layer protocols are Transmission Control Protocol (TCP), a connection-oriented protocol that requires an established connection before sending data, and User Datagram Protocol (UDP), a connectionless protocol that does not require a two-way connection be established for communication to begin.
Each port used by TCP and UDP is associated with a specific process or service. Port numbers, which range from 0 to 65535, are standardized across network-connected devices. Port 0 is reserved in TCP/IP networking and should not be used in TCP or UDP messages. Ports 1 through 1023 are well-known ports used as defaults for internet protocols, as defined by the Internet Assigned Numbers Authority (IANA).
Port numbers in the range of 1024 to 29151 are set aside for ports registered with IANA to be associated with specific protocols. Ports in the range of 49152 through 65535 are ephemeral ports that are used as needed to address dynamic connections.
Some of the most used ports include the following:
A port scan is a series of messages sent by someone to learn which computer network services a given computer provides. Port scanners are applications that identify which ports and services are open or closed on an internet-connected device. A port scanner can send a connection request to the target computer on all 65,536 ports and record which ports respond and how. The types of responses received from the ports indicate whether they are in use or not.
Corporate firewalls can reply to a port scan in three ways:
The general objective of a port scan is to map out a system's OS and the applications and services it runs in order to understand how it is protected and what vulnerabilities may be present and exploitable.
Because TCP and UDP are the most used transport layer protocols, they are often used in port scanning.
By design, TCP sends an acknowledgement (ACK) packet to let a sender know if a packet has been received. If information is not received, is rejected or is received in error, a negative ACK, or NACK, packet is sent. UDP, on the other hand, does not send an ACK when a packet is received; it only responds with an "ICMP [Internet Control Message Protocol] port unreachable" message if information is not received.
As such, several types of port scanning techniques exist, including the following:
Port scanning does not necessarily indicate an attack. It's important to know why the port scan information is being collected and what it is being used for.
Port scanning is one of the most popular information-gathering methods used by malicious actors. Part of the reconnaissance process, an attacker can use the data collected by a port scan to find out what services a device is running and to get an idea of the OS being used. This data can then be used to flag vulnerable systems with the intention of exploiting them to gain access to the network.
On the other hand, security teams and penetration testers can use port scan data to identify vulnerabilities, new devices on a network that may need attention, potential misconfigurations and other holes in security coverage to shore up defenses.
When a router reports multiple periodic occurrences of probing by brute force, the router is recording port requests from a port scanner. This may or may not be malicious because most internet-facing systems get scanned every day.
The practice of port scanning is as old as the internet. While protocols have changed over time and security tools and systems have evolved over the years, port scan alerts must still be detected and attended to, especially when it is not the security team scanning its own systems.
A port scan attack must be detected before it can be stopped. When properly installed and configured, modern security appliances are quite effective at detecting port scans by keeping track of attempts to access systems in the local network.
Most security appliances can link ongoing repeated scan attempts from the same source whether they target a single host or multiple hosts. To be effective, port scan attacks may need to probe many different ports on many different systems over a relatively short time period, which makes the attempts easier to detect. To counter this, some attackers may find it preferable to probe for open ports over a much longer time frame, in which case it becomes more difficult to detect a port scan attack. The downside for the attacker, however, is that it may take hours, days or longer to find a vulnerable system.
It is impossible to prevent the act of port scanning; anyone can select an IP address and scan it for open ports. To properly protect an enterprise network, security teams should find out what attackers would discover during a port scan of their network by running their own scan. Be aware, however, that security assessments and pen tests against many cloud hosting services, such as AWS, need approval prior to scanning.
Once security admins find out which ports respond as being open, they can review whether these ports need to be accessible from outside the corporate network. If not, security admins should shut them down or block them. If the open ports are deemed necessary, admins should begin to research what vulnerabilities and exploits the network is open to and apply the appropriate patches to protect the network.
Some types of firewalls use adaptive behavior, which means they will block previously open and closed ports automatically if a suspect IP address is probing them. Firewalls also can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. Hackers can get around this protection by conducting a port scan in strobe or stealth mode, however.
Firewalls and intrusion detections systems should always be configured to spot and block unusual connection attempts and requests. For example, after a port scan has been completed, attackers may launch a few probing attacks to validate earlier research or to gain additional information needed to finesse their main attack. Feeding abnormal activity into a SIEM system can provide real-time feedback and improve automated responses to events.
A variety of tools can be used to perform a port scan, including the following:
07 Jul 2021