What is port scanning? It is similar to a thief going through your neighborhood and checking every door and window on each house to see which ones are open and which ones are locked.
TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite which is used universally to communicate on the Internet. Each of these has ports 0 through 65535 available so essentially there are more than 65,000 doors to lock.
The first 1024 TCP ports are called the Well-Known Ports and are associated with standard services such as FTP, HTTP, SMTP or DNS.
Some of the addresses over 1023 also have commonly associated services, but the majority of these ports are not associated with any service and are available for a program or application to use to communicate on.
Port scanning software, in its most basic state, simply sends out a request to connect to the target computer on each port sequentially and makes a note of which ports responded or seem open to more in-depth probing.
Port Scan – Port Numbers
As you know, public IP addresses are controlled by worldwide registrars, and are unique globally. Port numbers are not so controlled, but over the decades certain ports have become standard for certain services. The port numbers are unique only within a computer system. Port numbers are 16-bit unsigned numbers.The port numbers are divided into three ranges:
* Well Known Ports (0 – 1023)
* Registered Ports (1024 – 49151)
* Dynamic and/or Private Ports (49152 – 65535)
Ports numbered 0 to 1023 are considered well known (also called standard ports) and are assigned to services by the IANA (Internet Assigned Numbers Authority). Here are a few samples:
* echo – 7/tcp – Echo
* ftp-data – 20/udp – File Transfer [Default Data]
* ftp – 21/tcp – File Transfer [Control]
* ssh – 22/tcp – SSH Remote Login Protocol
* telnet – 23/tcp – Telnet
* domain – 53/udp – Domain Name Server
* www-http – 80/tcp – World Wide Web HTTP
By a non-standard port, we simply mean a port whose number is higher than 1023. In this range also, several services are “standard.” For example:
* wins – 1512/tcp # Microsoft Windows Internet Name Service
* radius 1812/udp # RADIUS authentication protocol
Some malicious programs such as Trojans and Viruses have spread so wide that there are a number of ports that if found open, usually indicate that a system may have a virus.
It is possible to monitor your network for port scans. The trick, as with most things in information security, is to find the right balance between network performance and network safety. You could monitor for SYN scans by logging any attempt to send a SYN packet to a port that isn’t open or listening. However, rather than being alerted every time a single attempt occurs- and possibly being awakened in the middle of the night for an otherwise innocent mistake- you should decide on thresholds to trigger the alert. For instance you might say that if there are more than 10 SYN packet attempts to non-listening ports in a given minute that an alert should be triggered. You could design filters and traps to detect a variety of port scan methods- watching for a spike in FIN packets or just an anonymous number of connection attempts to a variety of ports and / or IP addresses from a single IP source.
Next» Oracle Free Buffer Waits