Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

How Snort's Stealth TCP Port Scanning Works

SecurityWeek Network reported "The simple truth is that the only way to be sure that we actually analyze all network malware-related traffic is to perform a full inspection of all traffic on all ports." One of the primary tools used by malicious attackers to assess your network weaknesses is the port scan.

By running a port scan an attacker can find out what "doors" into your network are open. Once they know that information they can begin to research what sorts of vulnerabilities or exploits that might open up to a network. It is vital that organizations restrict and control the traffic that is allowed into the network. One of the important attacks that Snort NIDS detects is port scanning.

An Introduction to Port Scanning

According to Tony Bradley, a network security expert at About.com who wrote "Port Knocking: The Secret Knock Can Open Your System," port scanning is similar to a thief going through your neighborhood and checking every door and window on each house to see which are open and which are locked.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite which is used universally to communicate on the Internet. Each of these has ports 0 through 65535 available, so essentially there are more than 65,000 doors to lock.

The first 1024 TCP ports are called the Well-Known Ports and are associated with standard services such as FTP, HTTP, SMTP, or DNS. Some of the addresses over 1023 also have commonly associated services, but the majority of these ports are not associated with any service and are available for a program or application to use to communicate.

TCP scanning is the most common type of scanning which uses the operating system's network functions. The attacker sends a SYN packet to the victim and in case the port is open then an ACK packet is sent back to the attacker by the victim thus notifying that the port is open. This process is termed as 3-way handshaking.

UDP Scanning is a connectionless protocol. This means that there is no notification sent back to the attacker whether the packet has been received or dropped by the victim's network. If a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method and use the absence of a response to infer that a port is open.

What is Stealth TCP Port Scanning?

If the port scan is being done with malicious intent, the intruder would generally prefer to go undetected. Network security applications such as Network Intrusion Detection Systems (NIDS) can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host.

To get around this the intruder can do the port scan in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than blanket scanning all 65536 ports. Stealth scanning uses techniques such as slowing the scan. By scanning the ports over a much longer period of time you reduce the chance that the target will trigger an alert."

Network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover an intruder by matching the attack pattern to a database of known attack patterns. A typical example is looking for a large number of TCP connection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. A network intrusion detection system sniffs network traffic by promiscuously watching all network traffic."

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching⁄matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

With the technological development of AanvalŪ SIEM and IDS Solutions, [the website www.aanval.co cannot be found] has become a global provider of information security vulnerability and risk management software solutions that protect businesses and organizations. The firm also provides IT consulting and professional services. Currently there are over 6,000 organizations worldwide that rely upon Aanval as part of their security infrastructure.

More Network Security Articles:
• Secure, Network Compliant BYOD (Bring Your Own Device) Solutions
• Difference Between Network Firewall and Web Application Firewall
• Designing Physical Network Security
• How to Become a Professional Ethical Hacker
• Network Security
• How Snort's Stealth TCP Port Scanning Works
• NMAP (Network Mapper) Port Scanner
• Avoid Hacks by Rogue Wireless Devices
• Man in the Middle Attack
• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro

Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2021 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268