CITS3002 Computer Networks  
prev
next CITS3002 help3002 CITS3002 schedule  

TCP/IP port scanning

Using port scanning an attacker tries to identify, which services are supported from a potential target host. Whenever an active port is located, an attacker may attempt to further determine the version number of any active server/service.

Although port-scanning software such as nmap may be used, much of the information about active ports can be determined by a simple tool like telnet as well.

What information does an attacker learn from port scanning?

  • if an attacker learns that a port is open, they can actually connect to the detected port.,
  • if an attacker learns that a port is closed, they learn that no service is listening to that port,
  • additionally, some scanning software reports ports as filtered, indicating that a connected attempt was terminated with a RESET or timed out.

For example, the naive TCP Connect Scan completes the TCP three-way-handshake. A SYN packet is sent to the system and if a SYN/ACK packet is received, it is assumed that the port on the system is active. If a RST/ACK packet is received, it is assumed that the port on the system is not active.

Attackers may further attempt to hide their scans by:

  • scanning through ports very slowly, and certainly not in numercial order - unless on a very quiet system, these will not be detected.
  • perform hundreds of scans simultaneously from hundreds of random/spoofed IP addresses. The target host will know they are being scanned, by not from where.


CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p5, 15th May 2024.