How Snort's Stealth TCP Port Scanning Works
By Jennifer L Manguino
SecurityWeek Network reported "The simple truth is that the only way to be sure that
we actually analyze all network malware-related traffic is to perform a full inspection of
all traffic on all ports." One of the primary tools used by malicious attackers to assess your
network weaknesses is the port scan.
By running a port scan an attacker can find out what "doors" into your network are open.
Once they know that information they can begin to research what sorts of vulnerabilities or
exploits that might open up to a network. It is vital that organizations restrict and control
the traffic that is allowed into the network. One of the important attacks that Snort NIDS
detects is port scanning.
An Introduction to Port Scanning
According to Tony Bradley, a network security expert at About.com who wrote "Port Knocking:
The Secret Knock Can Open Your System," port scanning is similar to a thief going through your
neighborhood and checking every door and window on each house to see which are open and which
are locked.
TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of
the protocols that make up the TCP/IP protocol suite which is used universally to communicate
on the Internet. Each of these has ports 0 through 65535 available, so essentially there are
more than 65,000 doors to lock.
The first 1024 TCP ports are called the Well-Known Ports and are associated with standard
services such as FTP, HTTP, SMTP, or DNS. Some of the addresses over 1023 also have commonly
associated services, but the majority of these ports are not associated with any service and
are available for a program or application to use to communicate.
TCP scanning is the most common type of scanning which uses the operating system's network
functions. The attacker sends a SYN packet to the victim and in case the port is open then
an ACK packet is sent back to the attacker by the victim thus notifying that the port is open.
This process is termed as 3-way handshaking.
UDP Scanning is a connectionless protocol. This means that there is no notification sent
back to the attacker whether the packet has been received or dropped by the victim's network.
If a UDP packet is sent to a port that is not open, the system will respond with an ICMP port
unreachable message. Most UDP port scanners use this scanning method and use the absence of
a response to infer that a port is open.
What is Stealth TCP Port Scanning?
If the port scan is being done with malicious intent, the intruder would generally prefer
to go undetected. Network security applications such as Network Intrusion Detection Systems
(NIDS) can be configured to alert administrators if they detect connection requests across
a broad range of ports from a single host.
To get around this the intruder can do the port scan in strobe or stealth mode. Strobing
limits the ports to a smaller target set rather than blanket scanning all 65536 ports. Stealth
scanning uses techniques such as slowing the scan. By scanning the ports over a much longer
period of time you reduce the chance that the target will trigger an alert."
Network intrusion detection systems (NIDS) monitors packets on the network wire and attempts
to discover an intruder by matching the attack pattern to a database of known attack patterns.
A typical example is looking for a large number of TCP connection requests (SYN) to many different
ports on a target machine, thus discovering if someone is attempting a TCP port scan. A network
intrusion detection system sniffs network traffic by promiscuously watching all network traffic."
Snort is an open source network intrusion detection system, capable of performing real-time
traffic analysis and packet logging on IP networks. It can perform protocol analysis, content
searching⁄matching, and can be used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
With the technological development of AanvalŪ SIEM and IDS Solutions,
[the website www.aanval.co cannot be found] has become a global
provider of information security vulnerability and risk management software
solutions that protect businesses and organizations. The firm also provides IT consulting and
professional services. Currently there are over 6,000 organizations worldwide that rely upon
Aanval as part of their security infrastructure.
More Network Security Articles: • Network Security Model - Defining an Enterprise Security Strategy • Difference Between Rule and Role Based Access Control • Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) • Are You Meeting ISO 27000 Standards for Information Security Management? • Wireless Network Security • Security Issues with Wireless LANs • Digital Signatures and Certificates • What is a Botnet Attack and How to Identify It? • Detecting Network Sniffers • What is a Password Hash and Salt?
|