Manage Learn to apply best practices and optimize your operations.

How to protect against port scans

A port scan is a popular hacking tool that allows attackers to gather information about how your network operates. Learn how to detect and prevent a port scan in this platform security Ask the Expert Q&A.

My router is reporting multiple and periodic occurrences of probing by brute force. As far as I know, all ports...

are stealth. Should I be alarmed by this activity?

What you are seeing is your router recording port requests from a scanner. Port scanning is one of the most popular information gathering methods hackers use. Unfortunately, it is very easy to perform and all Internet-connected devices will be probed at some point.

Port scanners are software that identifies which ports and services are open on an Internet-connected device. The scanner sends a connection request to the target computer on all 65536 ports, and records which ports respond and how. The type of response received indicates whether the port is in use. The general objective of a port scan is to map out the system's operating system and the applications and services it is running. A hacker can then test for vulnerabilities within the applications and plan an attack. So, how can you protect against port scans?

Your firewall can reply to a port scan in three ways: Open, closed or no response. If a port is open, or listening, it will respond to the request. A closed port will respond with a message indicating that it received the open request, but denied it. This way, when a genuine system sends an open request, it knows the request was received and there's no need to keep retrying. However, this response also reveals that there is a computer behind the IP address scanned, and therefore, the third option is to not respond to the request at all. In this case, if a port is blocked or in "stealth mode," the firewall will not respond to the port scanner. Interestingly however, blocked ports actually violate the TCP/IP rules of conduct and therefore, your firewall has to suppress the computer's closed port replies. You may find that your firewall has not blocked all of your ports anyway. For example, if port 113, used by the Identification Protocol, is completely blocked, connections to some remote Internet servers, such as Internet Relay Chat (IRC), may be delayed or denied altogether. For this reason, many firewalls set port 113 to "closed" instead of blocking it completely.

Additionally, some firewalls now use "adaptive behavior," which means they will block previously open and closed ports if a suspect IP address is probing them. They can also be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. However, hackers can get around this protection by conducting the port scan in strobe or stealth mode. In strobe mode, hackers can only scan a small number of ports at a time, but in stealth mode, they can scan the ports over a much longer period, which reduces the chance that the firewall will trigger an alert.

In order to decide whether your computer is at risk, you should find out what an attacker would see in a port scan of your router. You could do this using Nmap, a free port scanner that hackers often use. Once you find out what ports respond as being open on your computer, you can review whether it's actually necessary for those ports to be accessible from outside your network. If they're not necessary, you should shut them down or block them. If they are necessary, you can begin to research what sorts of vulnerabilities and exploits your network is open to and apply the appropriate patches to protect your network.

More on this topic

  • Learn more about the benefits of Nmap in this tip.
  • Learn how to properly deploy a patch, should a hacker bypass your network security systems.
This was last published in June 2006

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.