On the Offensive: Guarding Against Port Scan Attacks | Wyebot

On the Offensive: Guarding Against Port Scan Attacks

February 4, 2019

“Automated attacks that rely on IP and port scanning are the new normal,” according to Bitdefender.  It makes sense.  The world is inundated with new technology and gadgets.  From the latest mobile devices, to the greatest IoT devices, innovation is everywhere.  The downside is a proliferation of vulnerable targets and IT departments pulled in multiple directions.  For someone looking to cause networks harm, port scans are a great way to start.  They allow hackers to gather information about how a network operates – and how to best sneak in.

Port Scanning Basics

Port scanning software sends packets to ports, requesting to connect to the host device.  The port’s reply reveals details about its services and makes it possible to identify potential vulnerabilities.  TCP and UDP, both part of the TCP/IP protocol suite used to communicate on the Internet, each have ports 0 through 65535 available.  The first 1024 TCP ports are associated with standard services such as FT, HTTP, SMTP, and DNS.  A few other ports have commonly associated services, but the majority of ports are available for any program or application to use for communication.  When probed, there are three possible reactions.  The port can respond with open or closed; or, if the request is filtered out by a firewall and dropped, there will be no reply.  Ideally, hackers want to know which ports are open, but that isn’t the only useful information they can gather.  Finding a closed port tells hackers that a device exists and is therefore a potential target.

A hacker wants to probe as many ports as possible.  Knowing this, it’s possible to configure security systems to monitor certain thresholds and patterns.  For example, monitoring the number of ports connected to from a single user over a certain period of time, and raising an alert if the threshold is exceeded.  However, it is possible for hackers to avoid this and other types of security.  Hackers can alter their scan rate, access ports out of order, or spoof their source address.  They can set scans to operate in strobe mode, which limits the ports targeted, or in stealth mode, which slows the scan and makes it harder to detect.

Port Scanning Security

The best defense is a good offense.  The first step in defending ports is determining how many ports are at risk.  Scan networks regularly and analyze the results.  Once proactive scanning is in place, it’s necessary to address any issues.  Determine if every open port truly needs to be open.  If the answer is no, close ports, or block them using a firewall.  This process should become routine.  Networks are complex and dynamic and change regularly, especially with the introduction of BYOD and the Internet of Things.  Performing actions like a port scan must be a regular part of security maintenance.

The Wireless Intelligence Platform ™ (WIP) performs port scans as part of its security audit.  Automated tests scheduled to run as frequently as every fifteen minutes continuously scan ports and then report back with the results.  This proactive measure can be run from anywhere at any time.  WIP’s automatic alerts contain all the data necessary to address potential vulnerabilities.  WIP enables IT professionals to spend time on higher-priority items, secure in the knowledge that network security is robust and effective.