February 29, 2012

Techbits #7: Port Scanning

What is "Port Scanning", why is it done and how can I detect?

Background

To start with something that actually happened, an incident was reported about an application going down in one of the deployments quite a while back. It was eventually found out that the problem occurred because arbitrary packets were sent to one of the TCP ports on the server and the application ran into issues while trying to process the same. The problem was subsequently resolved with a patch provided by the third-party framework that we were using.

What is meant by Port Scanning?

Now, what is meant by "Port Scanning"? It is a scan activity performed to find out what are the ports open on a particular host. This can be extended to perform port scanning on all the hosts reachable and residing on a network. It may include sending arbitrary pieces of information (read packets) to the ports which are found open.

What good can Port Scanning be of?

Coming to the second question of our topic as to why it is done, it can be done by anyone interested in finding out the possible entry points to a host i.e. to find out ways to "penetrate" or "intrude" into a network/system. At first sight, it could look like it's something that's done only by hackers. However, it is to be understood that this is the same mechanism used by security experts while gauging the overall security of the network and hosts - this is what seemed to have happened in the deployment referred in the beginning where the experienced scans were performed by a security team conducting the network/system hardening exercise.

How to detect Port Scanning?

Moving on to the last question of our topic, which is also referred to as "Intrusion Detection", there are several tools using which you can detect Port Scanning. Also, note that it is the Firewall which detects and prevents (Intrusion Prevention) such activities at the network level and filters them at the network entry point itself (from external world or in between VLANs).

The easiest of all is "snoop" which is available on most of the systems by default - which is the advantage since you don't need to install anything more. However, the downside is that it's not straightforward to do the detection using snoop alone i.e. it is an involved effort to do so. One helpful point to be kept in mind (when requiring to use snoop) is that the time window during which snoop is run should be minimized and pointed as much as possible.

Few helpful tools specifically in the domain of port scanning are listed below:
  1. Nmap - http://nmap.org/
  2. Snort  - http://www.snort.org/
  3. Nessus - http://www.nessus.org/
Note

A cautionary advise is that port scanning is not usually allowed in an organization unless there is a justified need. As such, proper care, restraint and appropriate notifications/approvals must be exercised before you start using these tools in the networks at your work

No comments: