Port Scanning Attacks: A Bibliography

TL;DR

This guide lists common attacks using port scanning techniques and resources to learn more about them. It covers scan types, tools used by attackers, detection methods, and mitigation strategies.

1. Understanding Port Scanning

Port scanning is a reconnaissance technique used to identify open ports on a target system. Attackers use this information to find vulnerabilities they can exploit. Different scan types exist:

• TCP Connect Scan: Attempts a full TCP connection with each port. Easily detectable, but reliable.
• SYN Scan (Stealth Scan): Sends SYN packets and checks for responses. Less likely to be logged than a connect scan.
• UDP Scan: Sends UDP packets to ports. Can be slow and unreliable due to UDP’s connectionless nature.
• FIN/NULL/Xmas Scans: Exploit TCP flag handling; often bypass simple firewalls.

2. Common Attacks Using Port Scanning

1. Information Gathering: Identifying services running on open ports (e.g., web servers, SSH).
2. Vulnerability Exploitation: Once a vulnerable service is identified, attackers attempt to exploit known weaknesses.
3. Denial of Service (DoS): Flooding open ports with traffic to overwhelm the system.
4. Botnet Propagation: Scanning for systems to infect and add to a botnet.

3. Tools Used by Attackers

• Nmap: The most popular port scanning tool, offering various scan types and scripting capabilities.

  nmap -sS target_ip

  (SYN Scan)

• Masscan: Designed for fast scanning of large networks.
• Zenmap: Nmap’s GUI interface, making it easier to use.
• Unicornscan: Another versatile port scanner with asynchronous capabilities.

4. Detecting Port Scanning

1. Firewall Logs: Monitor firewall logs for suspicious connection attempts and patterns. Look for scans from the same IP address attempting connections to many ports in a short period of time.
2. Intrusion Detection Systems (IDS): Configure IDS rules to detect common port scanning techniques.

   # Example Snort rule to detect SYN scan

   alert tcp any any -> $HOME_NET any (msg:"SYN Scan", flags:S, flow:established, sid:1000001);

3. Network Traffic Analysis: Use tools like Wireshark to analyze network traffic for unusual patterns.
4. Log Analysis Tools: Centralized logging and analysis can help identify scanning activity across multiple systems.

5. Mitigating Port Scanning

1. Firewall Rules: Block unnecessary ports and limit access to essential services.

   # Example iptables rule to block port 23 (Telnet)

   iptables -A INPUT -p tcp --dport 23 -j DROP

2. Intrusion Prevention Systems (IPS): Automatically block malicious traffic based on detected patterns.
3. Rate Limiting: Limit the number of connection attempts from a single IP address within a specific timeframe.
4. Port Knocking: Require a specific sequence of connections to different ports before allowing access.
5. Decoy Systems (Honeypots): Deploy systems designed to attract attackers and gather information about their techniques.
6. Regular Security Audits: Regularly scan your own network for vulnerabilities and misconfigurations.

6. Resources

• Nmap Documentation: https://nmap.org/docs/
• SANS Institute: https://www.sans.org/ (Offers courses on cyber security and network security)
• OWASP: https://owasp.org/ (Provides resources on web application security)