Skip the navigation

Port scans may not always signal attacks, research indicates

A study found little correlation between port scanning and network attacks

December 7, 2005 12:00 PM ET

Computerworld - The assumption that network port scans are a precursor to attempted hacks into computers may be misleading, according to research at the University of Maryland's A. James Clark School of Engineering.
An analysis of quantitative attack data gathered by the university over a two-month period shows that port scans precede attacks only around 5% of the time, said Michel Cukier, a professor in the Center for Risk and Reliability at the engineering school. In fact, more than half of all attacks are not preceded by a scan of any kind, he said.
"There's been a lot of discussion in the security community about whether a port scan portends an attack or not," Cukier said. "The goal of the research is to find a link between port scans and an attack."
Port scans are generally believed to be used by attackers to discover open or closed ports and unused network services they can try to exploit. Large increases in scans against particular ports have for long been viewed as a sure signal of impending attacks against that port.
But the evidence gathered from 48 days' worth of data collected from two honey-pot computers used for the study suggest otherwise, Cukier said. Only 28 out of 760 IP addresses tied to attacks against the university's computers launched a port scan prior to the attacks, he said. In contrast, 381 of the IP addresses launched attacks without any previous port scanning activity.
The study did find that 38% of the attacks were preceded by vulnerability scans, which are used by hackers to look for specific vulnerablities on network-attached computers, Cukier said.
The numbers suggest that it's only when port scans are combined with vulnerability scanning activity that there's a reasonably good chance of a follow-up attack, he said.
During the study, more than 22,000 connections to the two honey pots were analyzed. Scripts were developed to categorize the data into port scans, vulnerability scans, Internet Control Message Protocol scans and attacks. For purposes of the analysis, port scans were defined as connections involving less than five data packets; vulnerability scans as connections with between five and 12 packets; and attacks were defined as connections with more than 12 data packets.
The results of the study were first published at the Institute of Electronics and Electrical Engineers' International Conference on Dependable Systems and Networks in June but were not publicly released until this week.
Johannes Ullrich, the chief technology officer at the SANS Institute's Internet Storm Center, said that while the design and development of the test-bed used for the research appears to



Our Commenting Policies