Port scans may not always signal attacks, research indicates
A study found little correlation between port scanning and network attacks
Computerworld - The assumption that network port scans are a precursor to attempted hacks into computers may be misleading, according to research at the University of Maryland's A. James Clark School of Engineering.
An analysis of quantitative attack data gathered by the university over a two-month period shows that port scans precede attacks only around 5% of the time, said Michel Cukier, a professor in the Center for Risk and Reliability at the engineering school. In fact, more than half of all attacks are not preceded by a scan of any kind, he said.
"There's been a lot of discussion in the security community about whether a port scan portends an attack or not," Cukier said. "The goal of the research is to find a link between port scans and an attack."
Port scans are generally believed to be used by attackers to discover open or closed ports and unused network services they can try to exploit. Large increases in scans against particular ports have for long been viewed as a sure signal of impending attacks against that port.
But the evidence gathered from 48 days' worth of data collected from two honey-pot computers used for the study suggest otherwise, Cukier said. Only 28 out of 760 IP addresses tied to attacks against the university's computers launched a port scan prior to the attacks, he said. In contrast, 381 of the IP addresses launched attacks without any previous port scanning activity.
The study did find that 38% of the attacks were preceded by vulnerability scans, which are used by hackers to look for specific vulnerablities on network-attached computers, Cukier said.
The numbers suggest that it's only when port scans are combined with vulnerability scanning activity that there's a reasonably good chance of a follow-up attack, he said.
During the study, more than 22,000 connections to the two honey pots were analyzed. Scripts were developed to categorize the data into port scans, vulnerability scans, Internet Control Message Protocol scans and attacks. For purposes of the analysis, port scans were defined as connections involving less than five data packets; vulnerability scans as connections with between five and 12 packets; and attacks were defined as connections with more than 12 data packets.
The results of the study were first published at the Institute of Electronics and Electrical Engineers' International Conference on Dependable Systems and Networks in June but were not publicly released until this week.
Johannes Ullrich, the chief technology officer at the SANS Institute's Internet Storm Center, said that while the design and development of the test-bed used for the research appears to
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!