riggsby - Fotolia

How to prevent port scan attacks

The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and prevent port scanning attacks.

When a router reports multiple periodic occurrences of probing by brute force, what is happening is that the router...

is recording port requests from a port scanner. Port scanning is one of the most popular information-gathering methods used by hackers. Unfortunately, port scans are easy to perform, and it is critical to note that all internet-connected devices will be probed at some point in time.

A port is a communication endpoint through which information flows. Port numbers range from 0 to 65535. Common ports include port 80 for HTTP, port 443 for HTTPS and port 465 for mail servers, such as Simple Mail Transfer Protocol.

Port scanners are applications that identify which ports and services are open or closed on an internet-connected device. The scanner sends a connection request to the target computer on all 65,536 ports and records which ports respond and how. The type of response received from the ports indicates whether they are in use or not.

Port scanning is not an attack in and of itself but rather part of the reconnaissance phase of an attack during which an attacker tries to find out as much as possible about his intended target. The general objective of a port scan is to map out the system's OS and the applications and services it is running in order to understand how it is protected and what vulnerabilities may be present and exploitable. Also, note that port scanning can be done by both attackers and defenders, as explained later.

Defending against port scans

So, how can an enterprise protect itself against and prevent port scan attacks on its network?

Corporate firewalls can reply to a port scan in three ways: open, closed or no response. If a port is open, or listening, it will respond to the request. A closed port will respond with a message indicating that it received the open request but denied it. This way, when a genuine system sends an open request, it knows the request was received, but there's no need to keep retrying. However, this response also reveals there is a computer behind the IP address scanned, and therefore, the third option is to not respond to the request at all. In this case, if a port is blocked or in stealth mode, the firewall will not respond to the port scanner. Interestingly, however, blocked ports actually violate the TCP/IP rules of conduct, and therefore, a firewall has to suppress the computer's closed port replies. Security teams may even find that the corporate firewall has not blocked all the network ports anyway. For example, if port 113, used by the Identification Protocol, is completely blocked, connections to some remote internet servers, such as internet relay chat, may be delayed or denied altogether. For this reason, many firewalls set port 113 to closed instead of blocking it completely.

TCP port scanning techniques
Scanning for open TCP ports

In addition, some firewalls now use adaptive behavior, which means they will block previously open and closed ports automatically if a suspect IP address is probing them. Firewalls can also be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. However, hackers can get around this protection by conducting a port scan in strobe or stealth mode. In strobe mode, hackers only scan a small number of ports at a time, usually fewer than 20. In stealth mode, there are several scan types and techniques hackers use to prevent being detected by a logging system. For example, using a low-and-slow approach, which involves running port scans over a much longer period, reduces the chances that the firewall will trigger an alert, or they might use a number of techniques to prevent requests for connection from being logged.

Types of port scans

There are several types of port scanning techniques, including the following:

  • A ping scan, or sweep scan, scans the same port on several computers to see if they are active. This involves sending out an Internet Control Message Protocol echo request to see which computers respond.
  • A TCP SYN scan, or TCP half-open scan, is one of the most common types of port scans. It involves attackers sending TCP SYN packets to initiate communication but does not complete the connection.
  • A TCP connect, also known as a vanilla scan, is like a TCP SYN scan in that it sends TCP SYN packets to initiate communication, but this scan does complete the connection by sending an ACK
  • A strobe scan is an attempt to connect only to selected ports, usually fewer than 20.
  • A User Datagram Protocol scan looks for open UDP ports.
  • In an FTP bounce scan, an FTP server is used to scan other hosts. Scanning attempts that are directed through an FTP server disguise the attacker's source address.
  • In a fragmented scan, the TCP header is split up over several packets to prevent detection by a firewall.
  • Stealth scans involve several techniques for scanning that attempt to prevent the request for connection from being logged.

How to block port scans in the network

It is important to note that it is impossible to stop the act of port scanning as anyone can select any IP address and scan it for open ports. Therefore, to properly protect an enterprise network, security teams should find out what an attacker would discover if he ran a port scan against the network by running their own scan. This is where port scanning is done by the defender, as noted above. Corporate port scans can be completed using Nmap, a free port scanner that hackers often use, or any other number of port scanning tools. Once security admins find out which ports respond as being open, they can review whether it's necessary for those ports to be accessible from outside the corporate network. If the company doesn't need them to be accessible from outside the network, security admins should shut them down or block them. If they are necessary, admins should begin to research what sorts of vulnerabilities and exploits the network is open to and apply the appropriate patches to protect the network.

Firewalls and intrusion detections systems should always be configured to spot and block unusual connection attempts and requests. For example, after a port scan has been completed, an attacker may well launch a few probing attacks to validate earlier research or to gain additional information needed to finesse his main attack. Feeding abnormal activity into a SIEM system can provide real-time feedback and improve automated responses to such events.

Do be aware that security assessments and penetration tests against many cloud hosting services, such as AWS, need approval prior to scanning.

This was last published in December 2019

Dig Deeper on Threat detection and response