View Discussion Show
Improve Article Save Article View Discussion Improve Article Save Article Prerequisite: What is scanning attacks? Cyber-Attackers use various different methods to carry out the execution of Cyber-Attacks on the computer network, depending on the ease through which the computer network can be attacked on its vulnerability. Each type of Cyber-Attack is risky and harmful in nature. Awareness about cyber crimes is very important for today’s young generation to prevent cyber crimes from taking place and feel safe while using the internet / cyber technology. Here, we will discuss one such very harmful Cyber-Attack Port Scanning Attack.  Port Scan attack:
Aim and Consequences:
Prevention:The preventive ways for Port Scan attack are listed as follows :
According to the SANS Institute, Port Scanning is one of the most popular techniques attackers use to discover services that they can exploit to break into systems. Although Port Scanning isn’t inherently hostile, it is often the first step of reconnaissance used by hackers when trying to infiltrate a network or steal/destroy sensitive data. In this article, we will discuss some best practices you can employ to defend against attackers and prevent potential network breaches. Where do we start?To conduct a port scan, one must first have a list of active hosts. A network scan is the process of discovering all of the active hosts on a network and mapping those hosts to their IP addresses. With a list of active hosts, a port scan, the process of sending packets to specific ports on a host and analyzing the responses to learn details about its running services or identify potential vulnerabilities, can be conducted. More on Network Scanning for Host DiscoveryThe process for determining what systems are up and running and listening on a network is called Host Discovery. This is often the first step used by hackers in a hostile attack. There are two primary protocols used for host discovery: Address Resolution Protocol (ARP) scans, and various forms of Internet Control Message Protocol (ICMP) scans. An ARP scan is the process of mapping IP addresses to MAC addresses on a local subnet. ARP requests can be sent out to all of the IP addresses on a Local Area Network (LAN) to determine which hosts are up based on the ones that respond with an ARP reply. Because ARP requests only work within a LAN, this requires the potential attacker to be connected to your internal network. To conduct a network scan outside of the LAN, there are a number of different ICMP packets that can be used instead, such as echo, timestamp, and address mask requests. Echo or ping requests are used to detect if a host can be reached, while timestamp packets determine the latency between two hosts. You can use address mask requests to find out the subnet mask used on the network. Discovering hosts on a network via ICMP messages all depends on receiving a corresponding reply from the targeted hosts. If no response is received, it could mean that there is no host at the target address or that the ICMP message type isn’t supported by the target host. It could also mean that the original request was blocked by a firewall or packet filter. Generally, ICMP echo (ping) requests that do not originate from inside the network are blocked by firewalls, but timestamp and address mask requests are less likely to be blocked. Moving On to Port ScanningNow that the network scan has been completed and a list of available hosts has been compiled, a port scan can be used to identify the in use on specific ports by the available hosts. Port scanning will typically classify ports into one of three categories: Open: The target host responds with a packet indicating it is listening on that port. It also indicates that the service that was used for the scan (typically TCP or UDP) is in use as well. Closed: The target host received the request packet but responds back with a reply indicating that there is no service listening on that port. Filtered: A port scan will categorize a port as filtered when a request packet is sent but no reply is received. This typically indicates that the request packet has been filtered out and dropped by a firewall. Port Scan MethodsTCP and UDP are generally the protocols used in port scanning, as previously mentioned and there are several methods of actually performing a port scan with these protocols. The most commonly used method of TCP scanning is SYN scans. This involves creating a partial connection to the host on the target port by sending a SYN packet and then evaluating the response from the host. If the request packet is not filtered or blocked by a firewall, then the host will reply by sending a SYN/ACK packet if the port is open or a RST packet if the port is closed. Another method of TCP scanning is the TCP connect scan. This involves the scanner trying to connect to a port on the target host using the TCP connect system call and initiating the full TCP handshake process. This process creates a lot of overhead in terms of packets and is a lot easier to detect, therefore making it a less utilized method of port scanning. Other types of TCP port scans include NULL, FIN and Xmas. These three types of scans involve manipulating the TCP header flags. NULL scans send packets with no flags set in their headers, while FIN scans only have the FIN bit set. Xmas scan packets have the FIN, PSH and URG flag bits turned on, making them appear to be “lit up like a Christmas tree”. Hence the name Xmas scan. UDP scans, like TCP scans, send a UDP packet to various ports on the target host and evaluate the response packets to determine the availability of the service on the host. As with TCP scans, receiving a response packet indicates that the port is open. Being PreparedThese days, network intrusion detection systems and firewalls are usually pre-configured to detect malicious network scans. Potential attackers though, have become smarter and can attempt avoiding common detection rules by altering the frequency of the scans, accessing ports out of order, or spoofing their source address. The best way to protect yourself against malicious network scans that can exploit holes in the network, is to make sure the holes don’t exist in the first place. Understanding host vulnerabilities is a critical component of overall network security. As a network engineer, you are responsible for protecting your infrastructure from malware, worms, hackers, trojans, and viruses – reducing the opportunity for exploits to find their way in is your mission. As is often the case, the best practice here is to fight fire with fire—scan your own networks for vulnerabilities before the bad guys can find them. What are port scan attacks and how can they be prevented?It is impossible to prevent the act of port scanning; anyone can select an IP address and scan it for open ports. To properly protect an enterprise network, security teams should find out what attackers would discover during a port scan of their network by running their own scan.
What is a port scanner and how does it work?A port scanner determines the status of the ports using different network scanning protocols, by sending a network packet to each port within the specified address range, one at a time. Based on the response received from the ports, it determines their status as listening or non-listening ports.
Why do I keep getting port scan attacks?If a port is open, it is being used for a particular service or application and is actively listening to requests sent to that application. If the applications using open ports aren't patched well, these ports can be exploited and used for launching attacks.
Why would an attacker want to perform a scan on port 80?The attacker would scan the ports on the perimeter firewall and look for open ports on the firewall. The firewall would have the ports such as 80 and 25 (well-known) open for Web and email services. The goal of the attacker is to find which ports in “listen,” “wait,” or “closed” state.
|
