Presentation is loading. Please wait.

Presentation is loading. Please wait.

Port Scanning Detection Zelfi Security Team Project1 Supervised by Loai Bani Melhim Issa Smadi April 11 1 Network Security Project Team.

Published byRudolf Newton Modified over 8 years ago

Similar presentations

Presentation on theme: "Port Scanning Detection Zelfi Security Team Project1 Supervised by Loai Bani Melhim Issa Smadi April 11 1 Network Security Project Team."— Presentation transcript:

1 Port Scanning Detection Zelfi Security Team Project1 Supervised by Loai Bani Melhim Issa Smadi April 11 1 Network Security Project Team

2 Port Scanning Detection Topics to be Covered? What is a Network What is a Network Security Threats to network security Port Scanning Computer Port Scanning Types Scanning Techniques Tcp & Tcp Flags Detection Model April 11 2

3 Port Scanning Detection What is a Network? A network consists of two or more computers that are linked together in order to share resources (printers and CDs),exchange files, or allow electronic communications. The computers on a network may be linked through cables, telephone lines, radio waves, satellites, or infrared light beams. April 11 3

4 Port Scanning Detection What is Network security? Network security involves all activities that organizations and institutions undertake to protect the value and ongoing usability of assets and the integrity and continuity of operations. An effective network security strategy requires identifying threats and then choosing the most effective set of tools to combat them. April 11 4

5 Port Scanning Detection Why should we care about computer security? We use computers for everything – Banking – Shopping, – Communicating with others through email or chat programs. – Entertainment – Trading – Learning – Social activities – Investments, …, etc. April 11 5

6 Port Scanning Detection Why should we care about computer security? Although you may not consider your communications "top secret," – you probably do not want strangers reading your email using your computer to attack other systems sending forged email from your computer examining personal information stored on your computer (such as financial statements). April 11 6

7 Port Scanning Detection Threats to network security Viruses A computer worm Vandals Attacks : Including – reconnaissance attacks (Scanning); – denial-of-service attacks Data interception Social engineering April 11 7

8 Port Scanning Detection Port Scanning “A port scan is a method used by intruders to discover the services running on a target machine. Based on the response received from the port, scan utility can determine the status of that port. By simply checking whether a given port is opened or closed an attacker can determine whether to attack that machine on that specific port or not. April 11 8

9 Port Scanning Detection Port Scanning various scanning tools are widely available over the internet and the internet itself has become much faster because of increasing bandwidth. Nowadays port scans have become much easier to perform because of various software tools available over the internet. April 11 9

10 Port Scanning Detection What is Computer Port “A software port is a virtual data connection that can be used by programs to exchange data directly, instead of going through a file or other temporary storage location”. Examples are TCP and UDP ports which are used to exchange data between computers on a network. April 11 10

11 Port Scanning Detection What is Computer Port April 11 11 Each communication (connection or datagram) goes to a port (mailbox) on a system. Port is “opened” when a server is listening for a message

12 Port Scanning Detection What is Computer Port Port numbers are unique within a computer system. A Port number is a 16-bit unsigned integer. Therefore the number of available ports will be 2^16 which is 65536 ports or from port 0 to 65535. April 11 12

13 Port Scanning Detection What is Computer Port Normally, ports can be divided into three distinct categories. They are – Well Known Ports – Port 0 – 1023 – Registered Ports – Port 1024 – 49151 – Dynamic and/or Private Ports – Port 49152 - 65535. April 11 13

14 Port Scanning Detection What is Computer Port The Well Known Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users. An attempt by an underprivileged user to open a port in the range of 0 to 1023 will fail. April 11 14

15 Port Scanning Detection What is Computer Port A list of commonly used well known ports are. Port 20 – FTP, data Port 21 – FTP, control Port 22 – SSH Port 23 – Telnet Port 25 – SMTP Port 53 – DNS Port 80 - HTTP April 11 15

16 Port Scanning Detection Why Port Scanning is dangerous? A port scan is often viewed as a first step for an attack.Scan can disclose much sensitive information about the host. Nowadays Port scan is considered the most style to collect an information about target network for eavesdropping and attacking so the researchers of network security take into consideration that matter. April 11 16

17 Port Scanning Detection Is it difficult to detect scan? Simple forms of scans appear as a sequential pattern of accesses in a short period of time, e.g., accesses to a sequence of IP addresses or port numbers. This type of access pattern can be easily detected. However, more sophisticated attackers are starting to hide their intentions using a new techniques. April 11 17

18 Port Scanning Detection Techniques to hide Scan intentions randomizing the order of scans. initiating the scans from a number of different sources. spreading scans over a long time period. Use spoofing IP tools. April 11 18

19 Port Scanning Detection Host Scan Definition A host scan involves sending packets to a range of network addresses in order to find out which addresses represent an active host. If the host responds successfully, that means a host is active. April 11 19

20 Port Scanning Detection Port Scan Definition A port scan is a unique method by sending packets to a range of TCP or UDP ports on specific destination, in order to identify port's status(open or close). April 11 20

21 Port Scanning Detection Scan Classification InBound Scan OutBound Scan April 11 21

22 Port Scanning Detection Inbound scans scans when an attacker outside the network is scanning for vulnerabilities within the monitored network. April 11 22

23 Port Scanning Detection Inbound scans April 11 23 Figure 1 typical Inbound Scan

24 Port Scanning Detection Outbound scans outbound scan, when someone within the monitored network is scanning for vulnerabilities outside the monitored network. April 11 24

25 Port Scanning Detection Outbound scans April 11 25 Figure 2 typical Outbound Scan

26 Port Scanning Detection Normal Source Authorized users usually make a small number of accesses to known destination addresses and port numbers. These connection attempts are more likely to be successfully established. Figure 3 shows a normal user who accesses two destinations within the target network, both of which were active. April 11 26

27 Port Scanning Detection Normal Source April 11 27 Access patterns of a normal source. Ticks in the diagram represent destinations hosts that are alive and crosses represent hosts that are non- existent Figure 3 Potential access pattern of a normal source

28 Port Scanning Detection Abnormal Source Most of intrusive(scanning) sources do not know the exact configurations of their victim’s network. The access pattern of intrusive sources often differ significantly to that of a normal source. Due to this lack of knowledge of what host and port combinations are available, many packets sent by scanners are not to real destinations. April 11 28

29 Port Scanning Detection Abnormal Source Not surprisingly, these packets do not establish successful connections or exchange useful information. Scanners also often send packets in abnormally large amounts to a large number of hosts or a varying range of ports. Figure 4 depicts a scanner to access seven sources, five of which are inactive. This difference in access pattern is often the basis of most Network Intrusion Detection Systems. April 11 29

30 Port Scanning Detection Abnormal Source April 11 30 Access patterns of a Abnormal source. Ticks in the diagram represent destinations hosts that are alive and crosses represent hosts that are non- existent Figure 4 Potential access pattern of a Abnormal source

31 Port Scanning Detection Scanning Source Abnormal access patterns that are generated by scans are: 1-Attempt to access an unusual number of uncommon and nonexistent destinations. 2-propagating an irregular number of failed connections are often deemed suspicious. April 11 31

32 Port Scanning Detection Scan Types Different attackers may have different motivations for scanning. The information an attacker is interested in therefore differs per scan. April 11 32

33 Port Scanning Detection Scan Types 1- Horizontal scans – focus on probing two or more hosts for one specific port. This type of scan is common when an attacker has knowledge of how to exploit just one particular vulnerability (common when the attacker is a worm), and is in search of a vulnerable host. April 11 33

34 Port Scanning Detection Horizontal scans April 11 34 Figure 5 Horizontal Scanning

35 Port Scanning Detection Scan Types 2- Vertical scans – focus on probing one host for a larger set of ports. This occurs when an attacker’s interest is to map all potential vulnerabilities of one particular host. April 11 35

36 Port Scanning Detection Vertical scans April 11 36 Figure 6 an example showing vertical scan

37 Port Scanning Detection Scan Types 3- Block scans – Block scans are both horizontal and vertical, probing a large number of ports on more than one host. In practice however, it seems that block scans have a tendency to scan no more than two or three ports per host. April 11 37

38 Port Scanning Detection Block scans April 11 38 Figure 7 Figure 5 an example showing Block scan

39 Port Scanning Detection TCP Connection Management Three way handshake: – Step 1: client host sends TCP SYN segment to server specifies initial sequence number no data – Step 2: server host receives SYN, replies with SYNACK segment server allocates buffers specifies server initial sequence number – Step 3: client receives SYNACK, replies with ACK segment, which may contain data April 11 39

40 TCP Handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected

41 Port Scanning Detection Scanning Techniques TCP Connect -- attempt to complete 3-way handshake, look for SYN-ACK, easy to detect this scan, connections are recorded in system log files. TCP SYN Scan -- “half-connect” scan, look for SYN- ACK, then send RESET, target system will not record connection in log files, also faster than TCP connect scan. TCP FIN, Xmas Tree, Null Scans -- scans that violate the protocol, closed ports send RESET, open ports send nothing. April 11 41

42 Port Scanning Detection TCP segment structure April 11 42

43 Port Scanning Detection TCP & TCP Flags In the popular 3-way handshake the SYNs and ACKs available in the TCP to help complete the connection before data is transferred. Each TCP segment has a purpose, that is determined by the TCP flag options, allowing the sender or receiver to specify which flags should be used so the segment is handled correctly by the other end. Most of the scanning techniques make use of these flags to carry out port scanning. Mostly, each TCP based scan set these flags to different values or combination of values in order to do the scanning. April 11 43

44 Port Scanning Detection TCP Flags – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set. – ECE (ECN-Echo) – indicate that the TCP peer is ECN capable during 3-way handshake. – URG – indicates that the URGent pointer field is significant. – ACK – indicates that the ACKnowledgment field is significant. – PSH – Push function. – RST – Reset the connection (Seen on rejected connections). – SYN – Synchronize sequence numbers (Seen on new connections). – FIN – No more data from sender (Seen after a connection is closed). April 11 44

45 Port Scanning Detection TCP & TCP Flags April 11 45 Figure 6 captured packet with the SYN flag set

46 Port Scanning Detection Problem Statement Our aim is to detect unusual behavior from a source outside or inside our network, where the behavior of the source is likely to constitute a host scan or a port scan. April 11 46

47 Port Scanning Detection Scan Detection Models April 11 47 Figure 5 Scan Detection Model

Download ppt "Port Scanning Detection Zelfi Security Team Project1 Supervised by Loai Bani Melhim Issa Smadi April 11 1 Network Security Project Team."

Similar presentations

Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Xmas Tree Scan Detection with Snort Presented by: Aqila Dissanayake University of Windsor Olalekan Kadri University of Windsor

Xmas Tree Scan Detection with Snort Presented by: Aqila Dissanayake University of Windsor Olalekan Kadri University of Windsor
Transmission Control Protocol (TCP) Basics

Transmission Control Protocol (TCP) Basics
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.

CS3505 The Internet and Info Hiway transport layer protocols : TCP/UDP.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Lecture # 14 TCP/IP - UDP Computer Communication & Networks.

Lecture # 14 TCP/IP - UDP Computer Communication & Networks.
Chapter 7: Objectives Part 1

Chapter 7: Objectives Part 1
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)

TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)
Copyright 1999, S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 32 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:521-545.

Copyright 1999, S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 32 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 15 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google