Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

Port scans don't always precede hacks

Latest research turns accepted wisdom on its head.

By Jaikumar Vijayan, Computerworld | Computerworld UK | Published: 09:45, 13 December 2005

Port scans may not be a pre-cursor to hacking efforts, according to conventional wisdom, reports the University of Maryland's engineering school.

An analysis of quantitative attack data gathered by the university over a two-month period showed that port scans precede attacks only about five percent of the time, said Michel Cukier, a professor in the Centre for Risk and Reliability. In fact, more than half of all attacks aren't preceded by a scan of any kind, Cukier said.

"There's been a lot of discussion in the security community about whether a port scan portends an attack or not," he said. "The goal of the research is to find a link between port scans and an attack."

Port scans are generally believed to be used by attackers to discover open or closed ports and unused network services to exploit. Large increases in scans against a particular port have long been viewed as a signal of impending attacks against that port.

But the evidence gathered from 48 days' worth of data collected from two "honeypot" computers used in the study suggest otherwise, Cukier said.

Only 28 out of 760 IP addresses that were tied to attacks against the university's computers had launched a port scan, Cukier said. In contrast, 381 of the IP addresses launched attacks without any previous port-scanning activity.

The study did find that 21 percent of the attacks were preceded by vulnerability scans, which are used by hackers to look for specific vulnerabilities on network-attached computers, Cukier said.

The numbers suggest that only when port scans are combined with vulnerability-scanning activity is there a reasonably good chance of a follow-up attack, he said.

During the study, more than 22,000 connections to the two honeypot computers were analysed. Scripts were developed to categorise the data into port scans, vulnerability scans, Internet Control Message Protocol scans and attacks.

For the analysis, port scans were defined as connections involving fewer than five data packets and vulnerability scans as those connections with five to 12 packets. Connections with more than 12 packets were classified as attacks.

Johannes Ullrich, chief technology officer at the SANS Institute 's Internet Storm Center, said that while the design and development of the testbed used for the research appears to be valid, the analysis is too simplistic.

Rather than counting the number of packets in a connection, it's far more important to look at the content when classifying a connection as a port scan or an attack, Ullrich said.

Often, attacks such as the SQL Slammer worm, which hit in 2003, can be as small as one data packet, he said. A lot of the automated attacks that take place combine port and vulnerability scans and exploit code, according to Ullrich.

As a result, much of what researchers counted as port scans may have actually been attacks, said Ullrich, whose Bethesda, Md.-based organization provides Internet threat-monitoring services.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.