SCANS - Port Scanning

Method description

This detection method is used to detect common techniques of network mapping and running services discovery through the port scanning method. Port scanning is used by attackers to map the network environment and identify potential victims of subsequent attacks. The method classifies an attack according to a number of scanned devices and ports as horizontal, vertical, and chaotic scans if possible. The detected event includes the number of unique targets, information about the response from the scanned device, and a list of scanned ports. The method is able to detect scans over TCP, UDP, and ARP protocols. For TCP scans, the method distinguishes between multiple types of scans (SYN scan, FIN scan, Xmas scan, and Null scan). It requires TCP flags to be presented in the flow data. If the flow source is not able to provide this information, alternative port-based detection should be activated.

This method consists of the following submethods:

• TCPSYN: Reports scanning of the services using the TCP protocol. Only the flows with the set SYN flag are used for detection.

• TCPFIN: Reports scanning of the services using the TCP protocol. Only the flows with the set FIN flag are used for detection.

• TCPNull: Reports scanning of the services using the TCP protocol. Flows without any flags set are used for detection.

• TCPXmas: Reports scanning of the services using the TCP protocol. Flows with the PSH, URG, and FIN flags are used for detection.

• UDP: Reports scanning of the services using the UDP protocol. The UDP and ICMP flows are used for detection.

• ARP: Reports scanning of the live devices in the network using the ARP protocol.

• PortBased: Reports TCP port scanning by accessing all the user-defined ports in a short time period.

Method parameters

TCP

• ScansThreshold: Minimal number of attempts of port scanning from a single source required to trigger an event.

• IgnoreChaotic: Omission of the chaotic port scans (it is not possible to determine if the scan is vertical or horizontal). IgnoreChaotic is not used when PortBasedDetection is enabled.

• IgnoreUnsucc: Omission of attempts of port scanning without response.

• DetectOnlyKnown: Port detection limit defined by known (lower than 1024) and user-specified (DetectThesePorts) ports. DetectOnlyKnown is not used when PortBasedDetection is enabled.

• DetectThesePorts: Comma-separated list of port numbers and ranges.

• PortBasedDetection: Detection based on given port numbers. This type of detection is suitable when there are TCP flags incorrectly recognized in the monitored traffic (caused by some types of data sources). The event is then reported only if the attacker accesses each defined port on a particular host.

UDP

• UDPThreshold: Threshold of a minimum number of unsuccessful attempts of scanning the UDP ports by a single device. The detection is based on monitoring the UDP and ICMP traffic.

ARP

• ARPScan: Threshold of the minimum number of ARP requests to be considered ARP scanning.

• MinTargets: The minimal count of IP addresses scanned using the ARP requests.

Method configuration

When the PortBasedDetection parameter is not active, it is recommended to apply this method for all IP addresses. Otherwise, it only needs to be applied to IP addresses from the monitored network. The correct place for traffic monitoring is the central switch and the Internet connection line.

Assigned filter

• PortBasedDetection: Only flows whose destination IP address matches the assigned filter will be processed.

• Other submethods: Only flows whose source or destination IP address matches the assigned filter will be processed.

Interpretation of results

Apart from detecting the attempts to deliberate port scanning, this method may detect misconfigured devices that are unsuccessfully trying to establish a connection or devices infected with malware that is trying to replicate itself to other devices.