Introduction to Port Scanning

The more you know, the better you can protect yourself

Laser Light Scanning Abstract Paper
MirageC / Getty Images

What is port scanning? It is similar to a thief going through your neighborhood and checking every door and window on each house to see which ones are open and which ones are locked.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite, which is used universally to communicate on the Internet. Each of these has ports 0 through 65535 available, so essentially there are more than 65,000 doors to lock.

How Port Scanning Works

Port scanning software, in its most basic state, sends out a request to connect to the target computer on each port sequentially and makes a note of which ports responded or seemed open to more in-depth probing.

If the port scan is malicious, the intruder would generally prefer to go undetected. You can configure network security applications to alert administrators if they detect connection requests across a broad range of ports from a single host.

To get around this, the intruder can do the port scan in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than blanket scanning all 65536 ports. Stealth scanning uses techniques such as slowing the scan. By scanning the ports over an extended period, you reduce the chance that the target will trigger an alert.

By setting different TCP flags or sending different types of TCP packets, the port scan can generate different results or locate open ports in different ways. A SYN scan will tell the port scanner what ports are listening and which are not depending on the type of response generated. A FIN scan will create a response from closed ports, but open ports and listening will not r, so the port scanner will be able to determine which ports are open and which are not.

There are several different methods to perform the actual port scans, as well as tricks to hide the source of a port scan.

How to Monitor for Port Scans

It is possible to monitor your network for port scans. The trick, as with most things in information security, is to find the right balance between network performance and network safety.

You could monitor for SYN scans by logging any attempt to send a SYN packet to a port that isn't open or listening. However, rather than being alerted every time a single attempt occurs, decide on thresholds to trigger the alert. For instance, you might say that an alert should trigger if there are more than 10 SYN packet attempts to non-listening ports in a given minute.

You could design filters and traps to detect a variety of port scan methods, watching for a spike in FIN packets or just an unusual number of connection attempts to a range of ports or IP addresses from a single IP source.

To help ensure that your network is protected and secure, you might wish to perform your own port scans. A major caveat here is to ensure you have the approval of all the powers that be before embarking on this project lest you find yourself on the wrong side of the law.

To get the most accurate results, perform the port scan from a remote location using non-company equipment and a different ISP. Using software such as Nmap, you can scan a range of IP addresses and ports and find out what an attacker would see if they were to port scan your network. NMap, in particular, allows you to control almost every aspect of the scan and perform various types of port scans to fit your needs.

Once you find out what ports respond as being open by port scanning your network, you can begin to work on determining whether those ports must be accessible from outside your network. If they're not required, you should shut them down or block them. If they are needed, you can begin to research what sorts of vulnerabilities and exploits your network is open to by having these ports accessible and work to apply the appropriate patches or mitigation to protect your network as much as possible.