Malicious Port Scanning and How to Recognize It

Risk Factors

Likelihood

Complexity

Business Impact

Malicious Port Scanning

What Is Malicious Port Scanning?

Port scanning is a method attackers use to scope out their target environment by sending packets to specific ports on a host and using the responses to find vulnerabilities and understand which services, and service versions, are running on a host.

First, attackers must locate hosts on the network, then they can scan those hosts for ports which might serve their purposes. Generally, port scanning tries to classify ports into one of three categories:

Open: In this case, the destination responds with a packet, meaning it is listening on that port and the service used to scan (generally TCP or UDP) is being used.
Closed: This means that the destination received the packet but does not have the service used listening at the port.
Filtered: The packet was filtered by a firewall or the service listening on that port didn't receive an acceptable traffic format so there is no reply.

Port scanning is generally done in stages:

  1. Scan the first 1000 ports on a CIDR range.
  2. Scan the first 1000 UDP ports on responding devices. .3 Scan the ports that are responding to determine services that are running on those ports.
  3. Expand the scan to all 65535 on responding devices to ID open ephemeral ports.

At a certain stage of scanning, the attacker is looking to ID specific services such as Active Directory, MSSQL, SMB/CIFS, SSH, etc. as well as what version of the software those hosts are running. This can rapidly allow attackers to select exploits to use to gain additional footholds within the network.


Protection Against Malicious Port Scanning

Port scanning is used for many legitimate purposes, necessitating the ability to differentiate between benign and malicious scanning activity. Simple approaches look for patterns like the number of ports scanned by a single IP address. If one IP address is running a lot of scans on different ports, it can be an indicator of malicious activity.

Statistical models can also be used to determine if scanning behavior differs from a baseline of normal behavior on the network. Network intrusion detection systems (IDS) and firewalls are usually configured to detect scans, but scanners can attempt to avoid detection by changing the frequency of scans, the sequence in which they access ports, or by spoofing their source address.

Detection and response solutions using machine learning can better understand normal scanning behavior on individual networks and provide high-fidelity detection even when attackers try to cover their tracks.


Malicious Port Scanning History

Malicious scanning has been around in various forms for a long time. Its use rapidly increased in 2001 along with an increase in computer worms, which scan for new hosts in order to automatically spread. An example worm during that time was the Code Red worm, which would scan for open TCP port 80 then leverage a common vulnerability to spread to new hosts.

Remote desktop protocol (RDP) has long been a common target for bad actors scanning for unprotected ports.