Port scan attack is one of the oldest methods used by hackers and cyber criminals. It is still widely used to test access to networks and subsequently servers and computers.
Port scan attack is not as popular today as it was in the nineties but there are automated tools that can scan a large number of ports at the same time and in a much more sophisticated manner than earlier.
Automated port scan attack will continue to remain a threat, especially since we are witnesses many more devices being connected to internet. It is fair to estimate that every IoT device will be subjected to a port scan attack at least once in its lifetime.
What is Port Scanning?
Port scanning can be a harmless process unless it compromises security and privacy, leading to a breach and data theft. The process of port scanning is relatively simple.
Connection requests are sent to a target server or computer. These requests test how a port responds and if at all it is active.
The response influences hackers to determine how they can gain access to the data and applications hosted in a server or computer.
Vulnerabilities can be identified and hackers can get access to the system through the port.
Port scanning is a reconnaissance mission for hackers. It is usually one of the first steps as hackers prepare to infiltrate a chosen network. Any network that has several systems will have ports.
The systems are hosts. The ports serve connectivity among the systems and the network. A hacker can send packets to one or multiple ports and study their responses.
This process leads to host discovery, which is basically knowing if a port is active and responding, inactive and not responding or simply not responding at all, thereby not indicating if it is open or closed.
Hackers and cyber-criminals may use address resolution protocol scans or internet control message protocol scans.
Both are popular methods used to discover hosts. Address resolution protocol scan maps the internet protocol addresses.
Such type of port scan attack can target all hosts using the same local area network. This type of attack or scan is only possible when the hacker is connected to the same internal network.
Internet control message protocol scan is used when the hacker is not connected to the same local area network.
A hacker can use different types of packets such as timestamp, address mass request and echo to detect a host.
Responses to a Port Scan Attack
There are three types of responses to a port scan attack. The response could be open, closed and filtered or blocked.
- An open response means that the port is active, listening and responding.
- A closed response means the port is inactive, not listening and not responding.
- A filtered or blocked response means the port is neither active nor inactive.
The hacker does not know if the port is blocked by firewall and hence there is no response or if it is using adaptive behavior to appropriately function depending on the internet protocol address that is being used to test and scan the port.
Adaptive behavior enables ports to be shielded from suspicious addresses and activities such as scanning.
It should be noted than an open port will respond to the request, a closed port will indicate that it is blocked but it will still send a response and a filtered port or one using adaptive behavior will not send any response at all.
An open port is the most vulnerable. A closed port may also be vulnerable. A filtered port is relatively safe, mostly due to firewall but also owing to the adaptive behavior if such a cyber security system is in place.
There are many methods of port scan attack and the security infrastructure of the host network and its systems will determine the resistance.
How does a Port Scan Attack Happen?
An attacked or hacker sends the request to probe a system. There may be an open or closed response. There may not be any response if the request is blocked.
An open response tells the hacker that the port is active and listening. Many devices will have some ports open and some closed depending on how they are set up.
Even if you are using firewall, it may not block all ports and some may be put into a closed state, which will respond to port scan attack.
The device and the port is still detectable as there is a response.
Strobe and stealth modes attack:
Hackers often use strobe and stealth modes during a port scan attack. Strobe involves scanning a smaller number of ports simultaneously.
Stealth involves scanning a similar number of ports but over a much longer period of time. Whether or not the ports in your systems & devices and connected to a network are safe depends largely on the firewall.
Companies should use state of the art firewall. Individual users should have firewall protection, either from the internet service provider or installed in the system.
How to Prevent a Port Scan Attack?
Preparation is obviously the key. Having a firewall is imperative but one must also know the kinds of spoofing and deceitful techniques employed by hackers. Users can rely on port scanners to test their own systems and find out if they are vulnerable.
These scanners are often used by amateur hackers. Firewalls have the ability to redirect the open ports to empty hosts or honey pots. This can complicate the job of the hackers.
What they could have done in a few minutes or so in another scenario will require several hours. Cyber security experts also use deception tactics and lay bait traps to thwart port scan attack.
Expert hackers and cybercriminals are capable of finding flaws in firewalls and get through network intrusion detection systems.
Many security features are preconfigured and they should be reviewed on the basis of threat analysis and how specific methods are being used for port scan attack.
Hackers can avoid detection by reworking the frequency of their port scan attack. They can mask their source address and even mislead or misdirect security software.
Only a state of the art and evolving security apparatus can prevent a port scan attack.