All About Port Scanners And How You Can Protect Systems
Port Scanning is among the most popular techniques used to discover services that can be exploited to gain access into computer systems. A port scanner is an application or software that can probe a host or server for open ports. If a computer system is connected to a LAN or the Internet through a modem, certain services run that “listen” to ports.
Listening is basically waiting inside a loop for requests from clients. A port scanner therefore sends message (packets) to each port to find out information about systems. This information may include the services that are running, the users that own these services and if the networks require authentication.
There are numerous port scanning programs including Nmap, Superscan, Nessus, Netscan Tools and Angry IP Scanner. These can be used for implementing network security measures or by cyber attackers to break into systems.
How a port scanner is used:
In order to properly defend against malicious port scans, it is important to know how port scanners work. Different port scanners use different techniques to probe for open ports. The most employed is the Transmission Control Protocol (TCP) scan.
TCP ports offer robust communication and establish connections using a system called a “three-way handshake”. The port scanner will use the operating system’s network functions to complete the three-way handshake then close the connection. This type of scan does not require special privileges but is easily detectable.
Other more effective forms of TCP scans have been developed including SYN, FIN, NULL, Reverse Indent and XMAS scans. Each of these scans is used to gather different types of information from open ports. TCP has the ability to return varied types of responses to a port scanner. Attackers can manipulate these features to coax servers to respond or avoid intrusion detection systems (IDS).
The other more difficult scan to execute is the UDP scan. This is because clients can send packets to UDP services without establishing connections. Open UDP ports do not send response packets while closed ones send ICMP response packets.
As such, scanning these ports is inference-based. However, this technique is often slow, probes a limited number of ports and some closed ports do not send response packets leading to false negatives.
Defending against port scans:
All publicly accessible servers are vulnerable to port scans and they are not exactly illegal. However, attackers can use this information to exploit vulnerability. So how do you limit the information given out by your systems?
One way is closing unnecessary services on targeted systems. For instance, if you are running a web server, http should be the only offered service. You can also utilize TCP wrappers.
TCP wrappers give administrators the flexibility to deny or permit access to services based on domain names or IP addresses. They reject incoming connections that originate from hosts or domains that are not approved. It is good practice to avoid accepting the default installation of operating systems. They often have many open ports to facilitate flexibility but leave your systems vulnerable.
Before placing any system online, ensure that you perform a port scan against the system and close the unnecessary open ports. It all boils down to the vigilance of the system administrator.