Ask the Expert

What can you tell me about traffic and the scanning process?

What can you tell me about traffic and the scanning process?

    Requires Free Membership to View

To know about the traffic, it's important to understand the scan process itself. Usually port scanning means scanning for TCP ports, which are connection-oriented and therefore provide good feedback to the attacker, but UDP responds in a different manner. In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the port is listening, the service will send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems will send back an "ICMP Port Unreachable" message. Thus, an attacker finds out if a port is NOT open, and by exclusion determines which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost or you will get a bunch of false positives. Also, this scanning technique is slow because of compensation for machines that implement the suggestions of RFC 1812 and limit ICMP error message rate. For example, a kernel may limit destination unreachable message generation to 80 per four seconds, with a 1/4 second penalty if that is exceeded.

A SYN scan or "half-open" scan on the other hand are another way an attacker can try to enumerate ports on a system in a stealthy manner. These scans only execute the first two steps of the TCP three-way handshake. The initiating system sends TCP SYN packets as though it were requesting to open a full connection. The target system responds with a SYN-ACK packet. The initiator then sends a TCP RST (reset) packet back to the target, thereby closing the connection. The idea here is to prevent the full connection from being established since it may possibly be logged. Most of the Scanners also allow SYN scans using UDP packets in much the same manner.

This was first published in February 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: