A port scan is a network reconnaissance technique designed to identify which ports are open on a computer. This can enable the scanner to identify the applications running on the system as certain programs listen on particular ports and react to traffic in certain ways. For example, HTTP uses port 80, DNS uses port 53, and SSH uses port 22.
IP addresses are vital to routing traffic over a network. An IP address uniquely identifies the device where a packet should be routed. However, knowing that a particular computer should receive a packet is not enough for it to reach its destination. A computer can be running many different applications at the same time, and several may be simultaneously sending and receiving traffic over the network.
The TCP and UDP protocols define the concept of ports on a computer. An application can send traffic and listen on a particular port. The combination of an IP address and a port enables routing devices and the endpoint to ensure that traffic reaches the intended application.
A port scanner, such as nmap, works by sending traffic to a particular port and examining the results. If a port is open, closed, or filtered by a network security solution, it will respond in different ways to a port scan, including:
Different computers will respond to different packets in different ways. Also, some types of port scans are more obvious than others. For this reason, a port scanner may use a variety of scanning techniques.
Some of the more common types of port scans include:
A port scan can provide a wealth of information about a target system. In addition to identifying if a system is online and which ports are open, port scanners can also identify the applications listening to particular ports and the operating system of the host. This additional information can be gleaned from differences in how a system responds to certain types of requests.
Port scanning is a common step during the reconnaissance stage of a cyberattack. A port scan provides valuable information about a target environment, including the computers that are online, the applications that are running on them, and potentially details about the system in question and any defenses it may have (firewalls, etc.).
This information can be useful when planning an attack. For example, knowing that an organization is running a particular web or DNS server can allow the attacker to identify potentially exploitable vulnerabilities in that software.
Many of the techniques used by port scanners are detectable in network traffic. Traffic to many ports, some of which are closed, is anomalous and can be detected by a network security solution like an IPS. Also, a firewall can filter unused ports or implement access control lists that limit the information provided to a port scanner.
Check Point’s Quantum IPS provides protection against port scanning and other cyber threats. To learn more about the other threats that Quantum IPS can manage, check out Check Point’s 2023 Cyber Security Report. You’re also welcome to sign up for a free demo to see the capabilities of Quantum IPS for yourself.