Introduction to Network Port Scanning and Advanced Techniques: How Snort Stealth TCP Port Scanning Works

SecurityWeek Network reported: “The simple truth is that the only way to be sure that we truly analyze all malware-related traffic on the network is to perform a full inspection of all traffic on all ports.” One of the primary tools malicious attackers use to assess weaknesses in your network is port scanning. By running a port scan, an attacker can discover which “doors” on your network are open. Once they know that information, they can start investigating what kind of vulnerabilities or exploits could open up a network. It is vital that organizations restrict and control the traffic that is allowed on the network. One of the important attacks that Snort NIDS detects is port scanning.

An introduction to port scanning

According to Tony Bradley, a network security expert at About.com who wrote “Port Knocking: The Secret Knock Can Open Your System,” port scanning is akin to a burglar going around your neighborhood checking every door and window in every home to see which ones are open and which ones are closed. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite that is universally used to communicate on the Internet. Each of these have ports 0-65535 available, so there are basically over 65,000 doors to block.

The first 1024 TCP ports are called well-known ports and are associated with standard services such as FTP, HTTP, SMTP, or DNS. Some of the addresses above 1023 also have commonly associated services, but most of these ports are not associated with any services and are available for a program or application to use to communicate.

TCP scanning is the most common type of scanning that uses the networking features of the operating system. The attacker sends a SYN packet to the victim and, in case the port is open, the victim sends an ACK packet to the attacker, thus notifying that the port is open. This process is called a 3-way handshake.

UDP scanning is a connectionless protocol. This means that no notification is sent to the attacker if the packet has been received or dropped by the victim’s network. If a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method and use the absence of a response to infer that a port is open.

What is Stealth TCP port scanning?

If port scanning is done with malicious intent, the intruder will generally prefer to remain undetected. Network security applications, such as Network Intrusion Detection Systems (NIDS), can be configured to alert administrators if they detect connection requests on a wide range of ports from a single host. To get around this, the intruder can perform port scanning in strobe or stealth mode. Strobing limits ports to a smaller set of targets instead of scanning all 65536 ports. Stealth scanning uses techniques like slowing down the scan. By scanning the ports for a much longer period of time, it reduces the chance of the target triggering an alert.”

Network Intrusion Detection Systems (NIDS) monitor packets on the network cable and attempt to discover an intruder by comparing the attack pattern to a database of known attack patterns. A typical example is looking for a large number of TCP connection (SYN) requests to many different ports on a target machine, thus finding out if someone is trying to scan a TCP port. A network intrusion detection system tracks network traffic by promiscuously watching all network traffic.”

Snort is an open source network intrusion detection system capable of real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content search/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealthy port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. further.