Port scans may not always signal attacks, research indicates
A study found little correlation between port scanning and network attacks
Computerworld - The assumption that network port scans are a precursor to attempted hacks into computers may be misleading, according to research at the University of Maryland's A. James Clark School of Engineering.
An analysis of quantitative attack data gathered by the university over a two-month period shows that port scans precede attacks only around 5% of the time, said Michel Cukier, a professor in the Center for Risk and Reliability at the engineering school. In fact, more than half of all attacks are not preceded by a scan of any kind, he said.
"There's been a lot of discussion in the security community about whether a port scan portends an attack or not," Cukier said. "The goal of the research is to find a link between port scans and an attack."
Port scans are generally believed to be used by attackers to discover open or closed ports and unused network services they can try to exploit. Large increases in scans against particular ports have for long been viewed as a sure signal of impending attacks against that port.
But the evidence gathered from 48 days' worth of data collected from two honey-pot computers used for the study suggest otherwise, Cukier said. Only 28 out of 760 IP addresses tied to attacks against the university's computers launched a port scan prior to the attacks, he said. In contrast, 381 of the IP addresses launched attacks without any previous port scanning activity.
The study did find that 38% of the attacks were preceded by vulnerability scans, which are used by hackers to look for specific vulnerablities on network-attached computers, Cukier said.
The numbers suggest that it's only when port scans are combined with vulnerability scanning activity that there's a reasonably good chance of a follow-up attack, he said.
During the study, more than 22,000 connections to the two honey pots were analyzed. Scripts were developed to categorize the data into port scans, vulnerability scans, Internet Control Message Protocol scans and attacks. For purposes of the analysis, port scans were defined as connections involving less than five data packets; vulnerability scans as connections with between five and 12 packets; and attacks were defined as connections with more than 12 data packets.
The results of the study were first published at the Institute of Electronics and Electrical Engineers' International Conference on Dependable Systems and Networks in June but were not publicly released until this week.
Johannes Ullrich, the chief technology officer at the SANS Institute's Internet Storm Center, said that while the design and development of the test-bed used for the research appears to
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts