Security

How to prevent port scan attacks



Q

Manage
Learn to apply best practices and optimize your operations.





A port scan is a popular hacking tool that allows attackers to gather information about how your network operates. Learn how to detect and prevent a port scan in this platform security Ask the Expert Q&A.


When a router reports multiple periodic occurrences of probing by brute force, what is happening is that the router…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

is recording port requests from a port scanner. Port scanning is one of the most popular information-gathering methods used by hackers. Unfortunately, port scans are easy to perform, and it is critical to note that all internet-connected devices will be probed at some point in time.

A port is a communication endpoint through which information flows. Port numbers range from 0 to 65535. Common ports include port 80 for HTTP, port 443 for HTTPS and port 465 for mail servers, such as Simple Mail Transfer Protocol.

Port scanners are applications that identify which ports and services are open or closed on an internet-connected device. The scanner sends a connection request to the target computer on all 65,536 ports and records which ports respond and how. The type of response received from the ports indicates whether they are in use or not.

Port scanning is not an attack in and of itself but rather part of the reconnaissance phase of an attack during which an attacker tries to find out as much as possible about his intended target. The general objective of a port scan is to map out the system’s OS and the applications and services it is running in order to understand how it is protected and what vulnerabilities may be present and exploitable. Also, note that port scanning can be done by both attackers and defenders, as explained later.

Defending against port scans

So, how can an enterprise protect itself against and prevent port scan attacks on its network?

Corporate firewalls can reply to a port scan in three ways: open, closed or no response. If a port is open, or listening, it will respond to the request. A closed port will respond with a message indicating that it received the open request but denied it. This way, when a genuine system sends an open request, it knows the request was received, but there’s no need to keep retrying. However, this response also reveals there is a computer behind the IP address scanned, and therefore, the third option is to not respond to the request at all. In this case, if a port is blocked or in stealth mode, the firewall will not respond to the port scanner. Interestingly, however, blocked ports actually violate the TCP/IP rules of conduct, and therefore, a firewall has to suppress the computer’s closed port replies. Security teams may even find that the corporate firewall has not blocked all the network ports anyway. For example, if port 113, used by the Identification Protocol, is completely blocked, connections to some remote internet servers, such as Internet Relay Chat, may be delayed or denied altogether. For this reason, many firewalls set port 113 to closed instead of blocking it completely.

TCP port scanning techniques
Scanning for open TCP ports

In addition, some firewalls now use adaptive behavior, which means they will block previously open and closed ports automatically if a suspect IP address is probing them. Firewalls can also be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. However, hackers can get around this protection by conducting a port scan in strobe or stealth mode. In strobe mode, hackers only scan a small number of ports at a time, usually fewer than 20. In stealth mode, there are several scan types and techniques hackers use to prevent being detected by a logging system. For example, using a low-and-slow approach, which involves running port scans over a much longer period, reduces the chances that the firewall will trigger an alert, or they might use a number of techniques to prevent requests for connection from being logged.

How to block port scans in the network

It is important to note that it is impossible to stop the act of port scanning as anyone can select any IP address and scan it for open ports. Therefore, to properly protect an enterprise network, security teams should find out what an attacker would discover if he ran a port scan against the network by running their own scan. This is where port scanning is done by the defender, as noted above. Corporate port scans can be completed using Nmap, a free port scanner that hackers often use, or any other number of port scanning tools. Once security admins find out which ports respond as being open, they can review whether it’s necessary for those ports to be accessible from outside the corporate network. If the company doesn’t need them to be accessible from outside the network, security admins should shut them down or block them. If they are necessary, admins should begin to research what sorts of vulnerabilities and exploits the network is open to and apply the appropriate patches to protect the network.

Firewalls and intrusion detections systems should always be configured to spot and block unusual connection attempts and requests. For example, after a port scan has been completed, an attacker may well launch a few probing attacks to validate earlier research or to gain additional information needed to finesse his main attack. Feeding abnormal activity into a SIEM system can provide real-time feedback and improve automated responses to such events.

Do be aware that security assessments and penetration tests against many cloud hosting services, such as AWS, need approval prior to scanning.



Dig Deeper on Network intrusion detection and prevention (IDS-IPS)


Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever’s puzzling you.






Source link

Tags

About the author

GG

Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!