What is a Port Scan?

A port scan is a network reconnaissance technique designed to identify which ports are open on a computer. This can enable the scanner to identify the applications running on the system as certain programs listen on particular ports and react to traffic in certain ways. For example, HTTP uses port 80, DNS uses port 53, and SSH uses port 22.

Request a Demo Download Report

What is a Port Scan?

The Need For Port Scan

IP addresses are vital to routing traffic over a network. An IP address uniquely identifies the device where a packet should be routed. However, knowing that a particular computer should receive a packet is not enough for it to reach its destination. A computer can be running many different applications at the same time, and several may be simultaneously sending and receiving traffic over the network.

The TCP and UDP protocols define the concept of ports on a computer. An application can send traffic and listen on a particular port. The combination of an IP address and a port enables routing devices and the endpoint to ensure that traffic reaches the intended application.

How Does a Port Scanner Operate?

A port scanner, such as nmap, works by sending traffic to a particular port and examining the results. If a port is open, closed, or filtered by a network security solution, it will respond in different ways to a port scan, including:

  • Open: An open port where an application is listening for traffic should respond to a legitimate request. For example, an open port receiving a TCP SYN packet should respond with a SYN/ACK.
  • Closed: If a port is closed, then attempts to communicate with it are considered an error by the computer. A TCP SYN packet to a closed port should result in a RST (reset) packet.
  • Filtered: Some ports may be filtered by a firewall or intrusion prevention system (IPS). Packets sent to these ports will likely receive no response.

Different computers will respond to different packets in different ways. Also, some types of port scans are more obvious than others. For this reason, a port scanner may use a variety of scanning techniques. 

Some of the more common types of port scans include:

  • Ping Scan: The simplest type of scan, a ping scan sends a ping request to a computer and looks for a ping response. This scan can determine if a computer is online and reachable.
  • SYN Scan: A SYN packet is the first step in the TCP handshake, and open ports will reply with a SYN-ACK. In a SYN or TCP half-open scan, the port scanner does not complete the handshake with the final ACK, so the full TCP connection is not opened.
  • TCP Connect Scan: A TCP connect scan completes the full TCP handshake. Once the connection is established, the scanner tears it down normally.
  • UDP Scan: UDP scans check for ports listening for UDP traffic. These can identify DNS and other UDP-based services.
  • XMAS and FIN Scans: XMAS and FIN scans break the TCP standard by packets with invalid combinations of flags. Different systems react to these packets in different ways, so these scans can reveal details of the target system and whether it is protected by a firewall.
  • FTP Bounce Scan: The FTP protocol allows proxy FTP connections where a server will make FTP connections to another server on behalf of a client. An FTP bounce scan uses this functionality to indirectly perform a port scan.

A port scan can provide a wealth of information about a target system. In addition to identifying if a system is online and which ports are open, port scanners can also identify the applications listening to particular ports and the operating system of the host. This additional information can be gleaned from differences in how a system responds to certain types of requests.

How Do Cybercriminals Use Port Scanning as an Attack Method?

Port scanning is a common step during the reconnaissance stage of a cyberattack. A port scan provides valuable information about a target environment, including the computers that are online, the applications that are running on them, and potentially details about the system in question and any defenses it may have (firewalls, etc.).

This information can be useful when planning an attack. For example, knowing that an organization is running a particular web or DNS server can allow the attacker to identify potentially exploitable vulnerabilities in that software.

Prevent Port Scan Attacks with Check Point

Many of the techniques used by port scanners are detectable in network traffic. Traffic to many ports, some of which are closed, is anomalous and can be detected by a network security solution like an IPS. Also, a firewall can filter unused ports or implement access control lists that limit the information provided to a port scanner.

Check Point’s Quantum IPS provides protection against port scanning and other cyber threats. To learn more about the other threats that Quantum IPS can manage, check out Check Point’s 2022 Cyber Security Report. You’re also welcome to sign up for a free demo to see the capabilities of Quantum IPS for yourself.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.