Not all techniques used by cyber attackers are strictly malicious. A port scan attack is just one classic example of a normal security technique being used against the very networks it’s designed to help protect.
But this shouldn’t come as a surprise. Port scanning has been a key technique for security pros to conduct service discovery across their networks, and if it works for the blue team, it certainly works for the red team.
However, port scan attacks have grown increasingly dangerous in recent years—not because the techniques have changed drastically, but rather because there are more packets traveling into and out of ports than ever before.
Defending against automated port scan attacks isn’t just about having the right firewall filters in place. Protecting yourself from malicious port scans starts with network visibility.
What Is a Port Scan Attack?
To launch a port scan attack, hackers take advantage of a tool like Nmap to sort through the available hosts on your network. A port scan will return one of three potential classifications for identified ports:
- Open: Target host is listening on the port and the service used in the scan is being used.
- Closed: Packet requests are received but the service isn’t listening on the port.
- Filtered: Packet request is sent but there’s no reply, indicating a firewall has filtered the request packet.
Mapping ports in this way gives attackers insight into the weak points of your network. Every open port indicates the potential for a vulnerable system that attackers can exploit to gain a foothold in your network or launch denial of service campaigns.
Common advice says to close or filter those ports which you aren’t using. That way, you aren’t unnecessarily providing hackers with potential access points. But open ports are essential to your mission-critical, network-connected applications and systems. It’s important to close every port, so it’s crucial to understand which specific ports attackers are hoping to find open when scanning. A few of the most popular ports for hackers include:
- Port 23: The Telnet port is rarely used because it’s an outdated service. However, if you accidentally leave this port open, attackers could gain root access to your network.
- Port 445: This port presents the same Telnet issue and can be used to gain remote access on Windows hosts.
- Port 110: If POP3 services are compromised on this port, attackers can gain access to email accounts across your business.
- Ports 80 and 8080: Because these ports control HTTP connections on frontend and backend systems, respectively, compromised passwords can give attackers access to virtually all of your corporate data.
Whether attackers are targeting these specific ports or simply doing reconnaissance on your network, you’re left with one challenge—how to block port scanning attacks. As attackers become increasingly advanced, it’s not easy. But no matter how you look at it, network visibility is the foundation necessary to defend against this malicious activity.
Preparing for a Port Scan Attack with Network Visibility
In a perfect world, your intrusion detection systems and firewalls would automatically detect malicious port scanning. And while they may catch a good amount of attacks, the reality is that attackers are increasingly capable of bypassing these tools. By mixing up the frequency, order, and source addresses of port scan attacks, hackers can find the vulnerable points of your network without worrying about scans being blocked.
To enhance the protection provided by your security tools, you need to be able to proactively spot anomalies in network behavior. When malicious port scans are conducted across your network, you should be able to identify anomalies in outbound connection activity and inbound traffic patterns. These anomalies must be analyzed so you can block port scans—even when attackers have managed to bypass pre-configured security tools.
But the only way to achieve this kind of proactive protection against port scan attacks is to create a pervasive network visibility layer. The right combination of network taps, network packet brokers, and bypass switches will ensure the right traffic is always delivered to the right tools. It serves as a foundation for increased network intelligence that will unlock advanced traffic processing to keep port scan attacks at bay.
Attackers have taken advantage of the problems that increased network complexity, bandwidth, and volumes of network tools cause for your security team. With so much traffic to manage, port scan attacks can slip through the cracks and give hackers every bit of information necessary to compromise your network at large.
But when you have a visibility layer equipped with the right network intelligence applications such as Network Traffic Analysis (NTA) you can address anomalous behavior before attackers are able to complete their scans.
The real challenge is determining how to build a visibility layer tailored to your specific networking needs. Our own network visibility experts can help.
If you want to learn how solutions like our Packetron™ can turn your visibility layer into an active protection layer and help you block packet scan attacks, contact us today and talk to your personal visibility expert.