Defending Against Port Scan Attacks

Port scan attacks, though unsophisticated and often harmless in and of themselves, are worth defending — and can be turned against cybercriminals with deception techniques.

Cybercriminals have relied on port scan attacks since the dawn of the internet, but the illicit information-gathering tactic has become even more popular in recent years. Automated, mass port scanning tools have grown in sophistication. Vulnerable targets like IoT devices continue to proliferate, and the result is that, as one report put it, “Automated attacks that rely on IP and port scanning are the new normal.”

In fact, nearly all Internet-connected devices will be port-scanned at some point in their lifespans.

Port scanners identify port availability by sending connection requests to a target computer and recording which ports respond and how. Determining which ports are is in use enables hackers to determine which applications and services the target device is running. From there, the hacker can test for vulnerabilities and begin to plan an attack.

How Port Scan Attacks Work

When a hacker probes your system with a port scan attack, each port will react one of three ways: it will respond as “open” or “closed,” or it won’t respond at all. An open, or “listening,” port will respond to the port scan’s request, alerting the hacker that your device is on the other end. A closed port will respond as well, but it will deny the request. Unfortunately, even a denied request reveals that there’s a device behind the scanned IP address.

If a port doesn’t respond at all, it means it’s blocked by a firewall. However, blocked ports actually violate the TCP/IP rules of conduct, so your firewall may not block every port on your device. Instead, it will set some ports to “closed” instead, which means a scan could still detect the device.


Worried about port scans? Read our digital story for more cybersecurity  insights.

Some firewalls, on the other hand, now use “adaptive behavior,” meaning they’ll block open and closed ports if a suspect IP address is probing them. These firewalls can also be configured to alert admins if they detect connection requests across many ports from only one host. However, even adaptive firewalls aren’t a perfect defense against port scans, as hackers can conduct scans in “strobe” or “stealth” mode. Strobe mode means that they scan a small number of ports at a time, while stealth mode means they can scan the ports over a longer period. These tactics reduce the chance that the firewall will detect the scan or trigger an alert.

Defending Against Port Scan Attacks (And Using Them to Your Advantage)

To determine whether or not devices are at risk, you’ll need to find out what an attacker would see if they perform a port scan on your device. One way to do this is to use a tool like Nmap, a free port scanner that hackers use (but isn’t dangerous for you to use on your own device). From there, you can see which of your computer’s ports respond as “open.”

If any are open, it’s possible that those ports don’t actually need to be accessible from outside of your network, in which case your IT team can get to work blocking them or shutting them down. If you do need those ports open, you can begin to apply patches to protect your network against attackers.

In addition, cybersecurity professionals can use the fact that hackers usually probe networks for vulnerabilities using port scan attacks to set their networks up to slow attackers down. By using firewalls to redirect open ports to “honeypots” or empty hosts, you can turn a port scan that would take hackers just a few seconds in to a 7-hour job. Capitalizing on the frequency of port scans by using deception defenses that send hackers into “bait” traps can be an effective technique that requires relatively little investment.

Unfortunately, many IT teams today are so busy dealing with support tickets and higher-priority items, that they don’t have the bandwidth to address basic threats like port scan attacks. That’s why, for enterprises looking to defend their networks against port scan attacks, the right move is to partner with an experienced cybersecurity and IT specialist like Turn-key Technologies (TTI).

TTI has been helping to protect companies against cyber threats for over three decades — from simple port scan attacks to the most complex data breaches and cybersecurity incidents. Our certified team of expert professionals can assess your network for security gaps, and implement the solutions that will keep your most important assets secure. An initial network assessment is often the first step on the road to optimal network security. Contact us today to learn more.

By Craig Badrick

01.03.2019

Sign up for the TTI Newsletter