How to prevent port scan attacks?

A port is a communication endpoint that facilitates data transfer between two devices, or an application and a device. If a port is open, it is being used for a particular service or application and is actively listening to requests sent to that application. If the applications using open ports aren't patched well, these ports can be exploited and used for launching attacks. A port scan is a method that is used to spot open ports on a network. Running a port scan reveals the open ports in the network and network security devices such as firewalls deployed between the sender and the receiver.

Normally, port scanning of a network is performed during penetration testing to assess the strength of network security. However, cyber attackers also use this method to identify vulnerable ports within the network and understand the network security of the target. When used by cyber attackers, it is called a port scan attack.

How does a port scan attack occur?

An attacker tries to connect to the target host by communicating with all the 65536 available system ports. Firewalls respond to this attack in one of three ways, depending on the status of the port:

• If the port is open, it redirects the traffic to the specific host.
• If the port is closed, the traffic isn't redirected. However, the firewall responds with a "Denied" notification.
• If the port is blocked by your firewall, it doesn't respond to the request.

So, even if a particular port is closed, the attacker gets to know about the device behind that port. A successful connection through an open port will allow the attackers to intrude into the network.

Port scanning is usually carried out in two modes: strobe and stealth.

When an attacker scans only a few ports, say less than 20 ports, in a given time, it's referred to as the strobe mode of port scanning. On the other hand, when an attacker listens to a port for a longer duration, say for one month, and gradually executes port scanning, it's known as the stealth mode. In both the modes, the attacker goes unnoticed. However, stealth mode port scanning is relatively difficult to detect as the attackers could establish communication with the application without going through the handshake process.

How to prevent a port scan attack?

• Do the port scan before the attacker: The first step in preventing malicious actors entering your network using a port scan attack is to run frequent port scans yourself to identify vulnerable ports and block them.
• Deploy adaptive firewalls: You can't block all the ports because of the TCP/IP rules of conduct for firewalls. Further, blocking all ports will block the necessary communication that is needed for your business. So we recommend that you use an adaptive firewall which blocks ports only when a malicious IP is trying to scan it.
• Set up empty hosts or honeypots: Another way is to redirect the malicious requests to traps. When attackers do port scanning, you can configure your firewall to redirect open ports to an "empty host" or "honey pots". Carrying out this deceptive defensive mechanism takes a lot of configuration effort, but it is very effective.

Quick tip:

Even when you've deployed the adaptive firewalls and set up traps, you would still need to conduct an analysis on the origin of malicious traffic. This way you can block those IPs at your network-level firewall and reduce the scale and impact of the exploit.

EventLog Analyzer, a comprehensive log management solution, helps you with a detailed report on all port scan attempts and also lets you know in real-time when port scan is happening through its real-time event response system. Check out how this solution can help you deal with port scan attacks.