Port Scans Don’t Always Precede Hacking

The assumption that network port scans are a precursor to attempted hacks into computers may be flawed, according to research from the University of Maryland’s A. James Clark School of Engineering.

An analysis of quantitative attack data gathered by the university over a two-month period shows that port scans precede attacks only about 5 percent of the time, said Michel Cukier, a professor in the Center for Risk and Reliability at the engineering school. The results of the research were released publicly last week.

In fact, more than half of all attacks aren’t preceded by a scan of any kind, Cukier said.

“There’s been a lot of discussion in the security community about whether a port scan portends an attack or not,” he said. “The goal of the research is to find a link between port scans and an attack.”

Fact or fiction?

Port scans are generally believed to be used by attackers to discover open or closed ports and unused network services to exploit. Large increases in scans against a particular port have long been viewed as a signal of impending attacks against that port.

But the evidence gathered from 48 days’ worth of data collected from two “honeypot” computers used in the study suggest otherwise, Cukier said. Honeypot computers are used as bait to lure hackers.

Only 28 out of 760 IP addresses that were tied to attacks against the university’s computers had launched a port scan, Cukier said. In contrast, 381 of the IP addresses launched attacks without any previous port-scanning activity.

The study did find that 21 percent of the attacks were preceded by vulnerability scans, which are used by hackers to look for specific vulnerabilities on network-attached computers, Cukier said.

The numbers suggest that only when port scans are combined with vulnerability-scanning activity is there a reasonably good chance of a follow-up attack, he said.

During the study, more than 22,000 connections to the two honeypot computers were analyzed. Scripts were developed to categorize the data into port scans, vulnerability scans, Internet Control Message Protocol scans and attacks.

For the analysis, port scans were defined as connections involving fewer than five data packets and vulnerability scans as those connections with five to 12 packets. Connections with more than 12 packets were classified as attacks.

Johannes Ullrich, chief technology officer at the SANS Institute ’s Internet Storm Center, said that while the design and development of the testbed used for the research appears to be valid, the analysis is too simplistic.

Rather than counting the number of packets in a connection, it’s far more important to look at the content when classifying a connection as a port scan or an attack, Ullrich said.

Often, attacks such as the SQL Slammer worm, which hit in 2003, can be as small as one data packet, he said. A lot of the automated attacks that take place combine port and vulnerability scans and exploit code, according to Ullrich.

As a result, much of what researchers counted as port scans may have actually been attacks, said Ullrich, whose Bethesda, Md.-based organization provides Internet threat-monitoring services.

By Jaikumar Vijayan – Computerworld (US)