August 21, 2019
What Is Port Scanning?
Much like car burglars test door handles to see which cars are locked, a port scan is a process which identifies “open doors” to a computer. Ports are points at which information comes and goes from a computer, so by scanning for open ports, attackers can find weakened pathways with which to enter your computer.
Port scanning is one of the most popular techniques attackers use to discover services they can exploit to break into your computer system, according to the SANS Institute.
It’s important to note that port scanning is not solely used for nefarious purposes. It also has legitimate uses in managing networks. In this article, we explain what port scanning is, the different types of port scanning, and how to protect yourself from attackers using port scanning to gain access.
What Is Port Scanning?
Port scanning is one of the most popular forms of reconnaissance ahead of a hack, helping attackers determine which ports are most susceptible. Port scanning can lead to a hacker entering your network or stealing proprietary data.
Port scanning provides the following information to attackers:
- What services are running
- Which users own the services
- If anonymous logins are allowed
- What network services require authentication
During a port scan, hackers send a message to each port, one at a time. The response they receive from each port determines whether it’s being used and reveals potential weaknesses.
Security techs can routinely conduct port scanning for network inventory and to expose possible security vulnerabilities.
How a port scan affects the network depends on the method used by the hacker.
How Does Port Scanning Work
Port scans send requests to every port, asking to connect to a network. The scan then makes note of the ports that respond and which seem vulnerable.
Once the attacker has determined vulnerable ports in a network, the scan will classify ports into three categories:
- Open: The host responds, announcing it is listening and open to requests. An open port means it’s a path to attack the network.
- Closed: The host responds, but notes there is no application listening. Often, hackers will come back to scan again in case it opens up.
- Filtered: The host does not respond to a request. This could mean the packet was dropped due to congestion or a firewall.
Types of Port Scanning
In order to defend your network against port scans, it’s important to understand the different types of port scans that hackers use.
- Vanilla: The scanner tries to connect to all 65,535 ports
- Strobe: A more focused scan, looking for known services to exploit
- Fragmented Packets: The scanner sends packet fragments as a means to bypass packet filters in a firewall
- User Datagram Protocol (UDP): The scanner looks for open UDP ports
- Sweep: The scanner pings the same port across more than one machine to see which computers are active
- FTP Bounce: The scanner goes through an FTP server to disguise the source
- Stealth: The scanner blocks the scanned computer from recording the port scan
How To Defend Against Port Scanning
As is often the case with computer security, the best offense is a good defense. As long as you have a publicly accessible server, your network system will be vulnerable to port scans. But, there are several things you can do to limit your weaknesses:
- Install a Firewall: A firewall can help prevent unauthorized access to your private network. It controls the ports that are exposed and their visibility. Firewalls can also detect a port scan in progress and shut them down.
- TCP Wrappers: TCP wrapper can give administrators the flexibility to permit or deny access to the servers based on IP addresses or domain names.
- Uncover Holes in the Network: Conduct your own internal port scan to determine if there are more ports open than required. Periodically check your system to determine existing weak points that could be exploited.
It’s important to take steps to protect your network before hackers discover your vulnerabilities.