Port scans may not always signal attacks, research indicates
A study found little correlation between port scanning and network attacks
Computerworld - The assumption that network port scans are a precursor to attempted hacks into computers may be misleading, according to research at the University of Maryland's A. James Clark School of Engineering.
An analysis of quantitative attack data gathered by the university over a two-month period shows that port scans precede attacks only around 5% of the time, said Michel Cukier, a professor in the Center for Risk and Reliability at the engineering school. In fact, more than half of all attacks are not preceded by a scan of any kind, he said.
"There's been a lot of discussion in the security community about whether a port scan portends an attack or not," Cukier said. "The goal of the research is to find a link between port scans and an attack."
Port scans are generally believed to be used by attackers to discover open or closed ports and unused network services they can try to exploit. Large increases in scans against particular ports have for long been viewed as a sure signal of impending attacks against that port.
But the evidence gathered from 48 days' worth of data collected from two honey-pot computers used for the study suggest otherwise, Cukier said. Only 28 out of 760 IP addresses tied to attacks against the university's computers launched a port scan prior to the attacks, he said. In contrast, 381 of the IP addresses launched attacks without any previous port scanning activity.
The study did find that 38% of the attacks were preceded by vulnerability scans, which are used by hackers to look for specific vulnerablities on network-attached computers, Cukier said.
The numbers suggest that it's only when port scans are combined with vulnerability scanning activity that there's a reasonably good chance of a follow-up attack, he said.
During the study, more than 22,000 connections to the two honey pots were analyzed. Scripts were developed to categorize the data into port scans, vulnerability scans, Internet Control Message Protocol scans and attacks. For purposes of the analysis, port scans were defined as connections involving less than five data packets; vulnerability scans as connections with between five and 12 packets; and attacks were defined as connections with more than 12 data packets.
The results of the study were first published at the Institute of Electronics and Electrical Engineers' International Conference on Dependable Systems and Networks in June but were not publicly released until this week.
Johannes Ullrich, the chief technology officer at the SANS Institute's Internet Storm Center, said that while the design and development of the test-bed used for the research appears to
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts