DEV Community

Cover image for What Is A Port Scan Attack?
Sudip Sengupta
Sudip Sengupta

Posted on

What Is A Port Scan Attack?

Computer ports are crucial components in application programming and networking since they provide a central docking point for exchanging information between two entities. A port number provides consistency and is combined with the target host IP address to form the vital information that the internet service provider uses to fulfill requests. Port scanning is a common technique used by hackers to identify open ports that can be used as attack vectors on the remote host. The intrusion technique often follows the host discovery phase and is used to reveal the presence of security devices between the sending and listening ports.

In this article, we discuss what a port scan attack is, its types, and prevention strategies.

What is a Port Scan?

Port scanning is a commonly used attack technique to detect a vulnerable target server by accessing different ports. An accessible server’s port can expose critical information, such as:

  • Port status – Includes details of closed port, open port, firewall protection, and presence of intrusion detection systems

  • Service running on the port – Details of whether it is a UDP port, FTP port, other common ports, or private ports

  • Device type

  • Operating System running on the target server

  • Whether the device allows anonymous logins

While malicious actors use this information to prepare for attacks through advanced service and host discovery, port scans are also helpful for security experts to identify vulnerabilities in externally accessible services within the private network.

Port Scan Attack Examples

Port scanning attacks are classified according to the type of service running on the vulnerable port. Examples of port scan types include:

UDP Port Scan

The User Datagram Protocol (UDP) establishes a low-latency, loss-tolerant connection between two network entities to enable time-sensitive data transmission. As the UDP protocol does not require the listening port to send a response, most networks use it to broadcast messages. UDP port scanning is used to identify vulnerable services broadcast using the protocol. Common services running on UDP ports include:

  • UDP Port 53- Domain Name System (DNS)

  • UDP Port 161- Simple Network Management Protocol (SNMP)

  • UDP Port 529- Routing Information Protocol (RIP)

As the UDP protocol is more complex to implement than TCP, security researchers often ignore these ports during testing and audits. A UDP port scanner works by sending application-specific UDP packets to the target services and awaiting a positive response. Some attackers also send raw IP packets to all UDP ports and wait for an ICMP destination port unreachable message to enumerate accessible and vulnerable services across the private network.

TCP Port Scan

The Transmission Control Protocol is a core protocol within the IP suite. TCP port scanning uncovers vulnerable services by initiating a three-way TCP handshake, with the completion of the handshake indicating an open port. The target server returns an error if the port is closed. Although this type of scan does not require elevated privileges, the approach does not offer low-level control, thereby acting as a deterrent for hackers to use it commonly.

SYN Scans

This scanning method involves initiating a three-way handshake to synchronize a connection between remote hosts. The client machine sends a TCP SYN packet (synchronization request) and waits for the target server to respond with an SYN-ACK message (synchronization acknowledgment) if the port is open. The client then sends an ACK flag to complete the three-way handshake. If the port is listening, an RST packet is included in the handshake, which resets the TCP connection, erasing the connection attempt on the target server’s logs.

SYN port scanning, also known as half-open TCP scanning, can be detected by most modern intrusion detection systems. Attackers often pair SYN scans with alternate scanning methods, such as FIN and TTL scans, to ensure stealth by augmenting the outbound probe packet.

FTP bounce scan

Most outdated File Transfer Protocol servers contain an inherent vulnerability that allows data to be sent to specified hosts and ports using the port command. Attackers can enter a series of commands or malicious data into a file and relay it into an active port on a vulnerable host, orchestrating an FTP bounce scan attack. Attackers can leverage FTP server flaws to discover and exploit other vulnerable services within the network, such as SMTP- Simple Mail Transfer Protocol and DNS-Domain Name Service.

How to Prevent Port Scan Attacks?

Some methods to prevent port scanning attacks include:

Use of Strong Firewall Protection

Strong hardware and software firewalls can help prevent unauthorized access to an organization’s private network. The firewall simplifies the control of port visibility and can alert security teams when a client machine has been hacked using port scanners.

Regular Vulnerability Scanning

Organizations are recommended to deploy an advanced port scanner tool that regularly and automatically checks for open, vulnerable services and ports. Continuous, automatic scanning uncovers weak points attackers can leverage to initiate or supplement port scanning attacks.

The Crashtest Security Suite includes an online port scanner to help teams identify whether servers have opened one or more unnecessary TCP ports. The scanner makes it easy to quickly identify obsolete protocol versions while fetching the required updates to ensure insecure services are not accessible through TCP ports.

Try a free, 14-day trial of Crashtest Security to learn how the security suite can help scan for open ports and seamlessly cross-reference impacted services running behind vulnerable ports.

Use of TCP wrappers

A TCP wrapper monitors individual incoming packets to ensure they are from an authorized entity. The wrapper acts like a host-based access control list that provides standardized logging and permission management by working as a low-level packet filter.

How to Run a Port Scan?

Various techniques can be used to send and assess packets sent to a target port. Some of such methods include:

  • Vanilla scan: A basic port scanning technique that sends a sequence of packets to each of the 65,536 ports simultaneously. A vanilla scan is considered accurate and straightforward since it involves a three-way handshake using an SYN flag, SYN-ACK response, and an ACK flag to determine vulnerable services.

  • Ping scans: A simple port scanning mechanism that uses Internet Control Message Protocol (ICMP) requests sent to multiple servers and troubleshoot services by examining the returned responses.

  • XMAS scans: A discreet method that sends a set of flags whose responses disclose the state of the firewall and target ports. XMAS scans manipulate the TCP header’s PSH, URG, and FIN flags, where the response of the target host is different between open and closed ports.

  • Sweep scans: An ICMP scan that determines which IP addresses in internal networks map to live hosts. The ping sweep uses ICMP ECHO requests to broadcast the scan to multiple hosts simultaneously.

FAQs

How to disable port scan and DOS protection?

When port scans are enabled, hackers can write scripts that continually ping a target host’s open ports, causing a denial of service. Disabling a port scan ensures that open ports are not externally accessible, helping prevent DoS attacks. Every router/host device has a GUI or command-based setting that disables port scans, offering DoS protection.

What is port scan detection?

Port scan detection is a simple application protection technique that relies on straightforward approaches to determine whether hackers are actively scanning a target port. Since port scan attacks usually trigger massive requests within a short time, port scan detection can be performed by counting the number of requested ports for the target IP address.

This article has already been published on https://crashtest-security.com/port-scan-attacks/ and has been authorized by Crashtest Security for a republish.

Top comments (0)