Port scanning is a method of detecting vulnerable nodes in a network by accessing different ports on a host (a device connected to the network) or the same port on different hosts. It can be used by cybercriminals in the preparatory phase of an attack to harvest information about the target host, as well as by information security experts as a tool for locating vulnerable nodes in IT infrastructure.
Types of port scanning
There are several types of port scanning:
- Horizontal scanning or network scanning sends requests to the same port on different hosts. Attackers use horizontal scanning to prepare for a mass attack.
- Vertical scanning sends requests to different ports on the same host. Attackers typically use vertical scanning to look for vulnerabilities in a preselected target.
Port scanning methods
There are various methods of checking which ports are open and accessible externally. The most common are:
- SYN scanning. The attacker sends a SYN (synchronization) request to the target port over TCP. If the port is open, it returns a SYN-ACK (synchronization acknowledgment) packet. The scanner then terminates the session without establishing a connection. If the port is closed, it responds with an RST (reset) packet, indicating that it cannot be accessed. If the port is located behind a firewall, the request does not generate a response at all. This is the most common scanning method because it does not require an established connection and is not logged by most simple event-tracking tools. On the other hand, SYN scanning requires superuser privileges on the device that sends the requests and which might not belong to the attacker.
- TCP scanning. This is the simplest scanning method that does not require special rights. It uses the network functions of the operating system to establish a full TCP connection. However, this type of scan is easy to detect and block.
- UDP scanning. Determines the status of ports used by UDP services. Unlike TCP, UDP is a connectionless protocol. That means if the port is open and the sent data is delivered successfully, the scanner does not receive a response, whereas a closed port returns an ICMP error message. This method can give a false indication of the available network services: if the target port is protected by a firewall or the system blocks ICMP messages, the scanner does not receive a response and deems the port open.
- FIN scanning. Used to reveal open ports hidden behind a firewall, the method is similar to SYN scanning but involves sending FIN (finish) packets (requests to end the connection). Unlike SYN requests, many firewalls do not block such packets. Closed ports generally answer with an RST packet. Open ones do not respond. In some operating systems, however, all ports respond to FIN requests in the same way, so the method is not very precise.
- ACK scanning. Used to collect information about firewalls, their rules, and ports filtered by them. ACK packets are normally used in established connections, so simple traffic filtering rules let them through. If a packet fails to get through, that means the port is protected by a firewall with more advanced rules.
Port scanning determines:
- Port status (open, closed, firewall-protected);
- Services running on ports;
- Device type, OS family.
Cybercriminals use this information in preparing attacks. For example, they can exploit vulnerabilities in externally accessible network services, the device operating system, and elsewhere.
Information security experts use this information to better protect company resources. The scan identifies vulnerable services that should be placed behind a firewall and unused ports that can be closed.
How to protect against port scanning
Hardware and software firewalls can detect port scanning. When an attempt is made, a firewall can temporarily open all ports to confuse the attackers.
Information security experts can carry out their own scans to identify and close unused ports, and to protect the host or network from similar cybercriminal actions. That measure can also protect against unauthorized port scanning.