How do you protect against network scanners?

Port scan attacks, though unsophisticated and often harmless in and of themselves, are worth defending — and can be turned against cybercriminals with deception techniques.

Cybercriminals have relied on port scan attacks since the dawn of the internet, but the illicit information-gathering tactic has become even more popular in recent years. Automated, mass port scanning tools have grown in sophistication. Vulnerable targets like IoT devices continue to proliferate, and the result is that, as one report put it, “Automated attacks that rely on IP and port scanning are the new normal.”

In fact, nearly all Internet-connected devices will be port-scanned at some point in their lifespans.

Port scanners identify port availability by sending connection requests to a target computer and recording which ports respond and how. Determining which ports are is in use enables hackers to determine which applications and services the target device is running. From there, the hacker can test for vulnerabilities and begin to plan an attack.

How Port Scan Attacks Work

When a hacker probes your system with a port scan attack, each port will react one of three ways: it will respond as “open” or “closed,” or it won’t respond at all. An open, or “listening,” port will respond to the port scan’s request, alerting the hacker that your device is on the other end. A closed port will respond as well, but it will deny the request. Unfortunately, even a denied request reveals that there’s a device behind the scanned IP address.

If a port doesn’t respond at all, it means it’s blocked by a firewall. However, blocked ports actually violate the TCP/IP rules of conduct, so your firewall may not block every port on your device. Instead, it will set some ports to “closed” instead, which means a scan could still detect the device.


How do you protect against network scanners?

Some firewalls, on the other hand, now use “adaptive behavior,” meaning they’ll block open and closed ports if a suspect IP address is probing them. These firewalls can also be configured to alert admins if they detect connection requests across many ports from only one host. However, even adaptive firewalls aren’t a perfect defense against port scans, as hackers can conduct scans in “strobe” or “stealth” mode. Strobe mode means that they scan a small number of ports at a time, while stealth mode means they can scan the ports over a longer period. These tactics reduce the chance that the firewall will detect the scan or trigger an alert.

Defending Against Port Scan Attacks (And Using Them to Your Advantage)

To determine whether or not devices are at risk, you’ll need to find out what an attacker would see if they perform a port scan on your device. One way to do this is to use a tool like Nmap, a free port scanner that hackers use (but isn’t dangerous for you to use on your own device). From there, you can see which of your computer’s ports respond as “open.”

If any are open, it’s possible that those ports don’t actually need to be accessible from outside of your network, in which case your IT team can get to work blocking them or shutting them down. If you do need those ports open, you can begin to apply patches to protect your network against attackers.

In addition, cybersecurity professionals can use the fact that hackers usually probe networks for vulnerabilities using port scan attacks to set their networks up to slow attackers down. By using firewalls to redirect open ports to “honeypots” or empty hosts, you can turn a port scan that would take hackers just a few seconds in to a 7-hour job. Capitalizing on the frequency of port scans by using deception defenses that send hackers into “bait” traps can be an effective technique that requires relatively little investment.

Unfortunately, many IT teams today are so busy dealing with support tickets and higher-priority items, that they don’t have the bandwidth to address basic threats like port scan attacks. That’s why, for enterprises looking to defend their networks against port scan attacks, the right move is to partner with an experienced cybersecurity and IT specialist like Turn-key Technologies (TTI).

TTI has been helping to protect companies against cyber threats for over three decades — from simple port scan attacks to the most complex data breaches and cybersecurity incidents. Our certified team of expert professionals can assess your network for security gaps, and implement the solutions that will keep your most important assets secure. An initial network assessment is often the first step on the road to optimal network security. Contact us today to learn more.

Chapter 10, Detecting and Subverting Firewalls and Intrusion Detection Systems discussed the myriad ways that Nmap (along with a few other open-source security tools) can be used to slip through firewalls and outsmart intrusion detection systems. Now we look at the situation from the other side of the fence: How technology such as firewalls and IDSs can defend against Nmap. Possible defenses include blocking the probes, restricting information returned, slowing down the Nmap scan, and returning misleading information. The dangers of some defenses are covered as well. Obfuscating your network to the extent that attackers cannot understand what is going on is not a net win if your administrators no longer understand it either. Similarly, defensive software meant to confuse or block port scanners is not beneficial if it opens up more serious vulnerabilities itself. Many of the techniques described herein protect against active probes in general, not just those produced with Nmap.

How do you tell if someone is port scanning you?

Normally, port scans trigger huge amounts of requests to different ports or IP Addresses within a short period of time. Such port scans can be easily detected by simple mechanisms like counting the number of requested ports for each Source IP Address.

Why do I keep getting port scan attacks?

If a port is open, it is being used for a particular service or application and is actively listening to requests sent to that application. If the applications using open ports aren't patched well, these ports can be exploited and used for launching attacks.