Intro to Network Port Scanning and Advanced Techniques: How Snort’s Stealth TCP Port Scanning Works

SecurityWeek Network reported “The simple truth is that the only way to be sure that we actually analyze all network malware-related traffic is to perform a full inspection of all traffic on all ports.” One of the primary tools used by malicious attackers to assess your network weaknesses is the port scan. By running a port scan an attacker can find out what “doors” into your network are open. Once they know that information they can begin to research what sorts of vulnerabilities or exploits that might open up to a network. It is vital that organizations restrict and control the traffic that is allowed into the network. One of the important attacks that Snort NIDS detects is port scanning.

An Introduction to Port Scanning

According to Tony Bradley, a network security expert at About.com who wrote “Port Knocking: The Secret Knock Can Open Your System,” port scanning is similar to a thief going through your neighborhood and checking every door and window on each house to see which are open and which are locked. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite which is used universally to communicate on the Internet. Each of these has ports 0 through 65535 available, so essentially there are more than 65,000 doors to lock.

The first 1024 TCP ports are called the Well-Known Ports and are associated with standard services such as FTP, HTTP, SMTP, or DNS. Some of the addresses over 1023 also have commonly associated services, but the majority of these ports are not associated with any service and are available for a program or application to use to communicate.

TCP scanning is the most common type of scanning which uses the operating system’s network functions. The attacker sends a SYN packet to the victim and in case the port is open then an ACK packet is sent back to the attacker by the victim thus notifying that the port is open. This process is termed as 3-way handshaking.

UDP Scanning is a connectionless protocol. This means that there is no notification sent back to the attacker whether the packet has been received or dropped by the victim’s network. If a UDP packet is sent to a port that is not open, the system will respond with an ICMP port unreachable message. Most UDP port scanners use this scanning method and use the absence of a response to infer that a port is open.

What is Stealth TCP Port Scanning?

If the port scan is being done with malicious intent, the intruder would generally prefer to go undetected. Network security applications such as Network Intrusion Detection Systems (NIDS) can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. To get around this the intruder can do the port scan in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than blanket scanning all 65536 ports. Stealth scanning uses techniques such as slowing the scan. By scanning the ports over a much longer period of time you reduce the chance that the target will trigger an alert.”

Network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover an intruder by matching the attack pattern to a database of known attack patterns. A typical example is looking for a large number of TCP connection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. A network intrusion detection system sniffs network traffic by promiscuously watching all network traffic.”

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.