michelangelus - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

What is a port scan attack?

Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. Learn how they work and how to defend against them.

My security appliance keeps issuing port scan attack alerts even though my LAN seems to be protected behind a firewall....

What is a port scan attack, and how can I defend against such attacks?

Ports are like little doors on your system. Most packets leaving your machine come out of a certain door. They are destined for another door on another system.

Transport layer protocols, including the Transmission Control Protocol (TCP), User Datagram Protocol and the Stream Control Transmission Protocol, use ports, which, taken together with an IP address, are used to identify the processes running on a networked host to which a packet is sent.

Transport layer protocols in the TCP/IP stack can use any of up to 65,535 different ports to listen for and respond to requests from remote hosts. Ports number 1 through 1023 are well-known ports used as defaults for different internet protocols -- port 0 is reserved and should not be used. Well-known ports are administered by the Internet Assigned Numbers Authority (IANA) and make it easier to connect to internet applications.

For example, web servers listen on TCP port 443 for HTTPS traffic. Mail servers listen on TCP port 463 for Simple Mail Transfer Protocol Secure (SMTPS) packets, which use the Transport Layer Security protocol to encrypt packets. SMTPS servers also listen on TCP port 587 for requests from mail submission agents.

The port numbers in the range of 1024 through 49151 are set aside for ports registered with the IANA to be associated with specific protocols. Ports in the range of 49152 through 65535 are ephemeral ports that are used as needed to address dynamic connections. For example, once a server and client initiate a connection, the server sends packets to an ephemeral port on the client.

An attacker launches a port scan by using a listening service to see what ports are open on the target machine. A port scan attack, therefore, occurs when an attacker sends packets to your machine, which can vary the destination port. The attacker can use this to find out what services you are running and to get a pretty good idea of the operating system you have. Most internet-facing systems get scanned every day, though as long as you harden your firewall and minimize the services allowed through it, these attacks shouldn't worry you.

The practice of port scanning is as old as the internet, and while protocols have changed over time and security tools and systems have evolved as well, port scan alerts still must be attended to.

What is port scanning used for

Port scans are used by both attackers and defenders for similar reasons. They can be used to map a network for reconnaissance to identify systems, ports and, potentially, the software in use. This mapping can be done using a variety of tools at a variety of speeds, depending on whether the person running the scan wants to minimize the chance of being detected.

Some legitimate endpoint software may even map a local network looking for a printer or other network resource, and such a scan could look like a port scan attack. Much of the publicly addressable internet has already been mapped by legitimate services like Shodan, as well as by some more questionable projects, so it is not necessary to do port scans of the internet. But enterprises should scan their internal networks.

The data gathered by a port scan can be used for attacks or defense. An attacker could use port scan attack data to flag potentially vulnerable systems -- with the intention of exploiting those systems to gain access to the target network.

Defenders use the same data, but with the intention of identifying potentially exploitable systems so they can strengthen them. Defenders can also use port scan data and correlate it with data from endpoint or vulnerability management tools to identify systems they need to protect or to identify new devices on a network that may need attention. Enterprises can also use data from legitimate port scan/mapping databases to identify misconfigurations of network or system defenses.

Types of port scans

The simplest types of port scans are streams of packets sent to a single host, with each succeeding packet addressing the target host's IP address and an incremented port number. When a packet is directed to an open port, the target system will reply to the attacker with an appropriate response packet, signaling to the attacker that the port is open.

The most common type of port scan attack uses TCP SYN packets, which are used to open a new TCP connection. Some attacks rely on ACK FIN or ACK RST packets, both of which also reliably elicit responses from systems with open ports. TCP port scanning is the most common vector for port scan attacks, however, because the protocol requires target systems to respond to incoming packets.

Port scan attacks can also be categorized by whether they target multiple destination ports at a single IP address -- known as a vertical scan -- or target a single port at multiple destination IP addresses -- known as a horizontal scan.

How to detect a port scan attack

Enterprises should block aggressive port scans if they are causing operational problems at a border. Otherwise, they may want to ignore the scans to focus their efforts on higher risk areas.

But before a port scan attack can be stopped, it must be detected. When properly installed and configured, modern security appliances are quite effective at detecting port scans by keeping track of attempts to access systems in the local network.

Security appliances can usually link ongoing repeated scan attempts from the same source whether they target a single host or multiple hosts. To be effective, port scan attacks may need to probe many different ports on many different systems over a relatively short time period -- which makes the attempts easier to detect.

While attackers may find it preferable to probe for open ports over a much longer time frame, in which case it becomes more difficult to detect a port scan attack, the downside for the attacker is that it may take hours, days or even longer to find a vulnerable system.

This was last published in March 2019

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)