Loading
Network Probes Explained: Understanding Port Scans and Ping Sweeps
Network probes are important clues in detecting intrusions. In this article, Lawrence Teo explains two common network probes and what can be done to detect them.
Almost any system administrator of a large network will tell you that their network has been probed before. As cracking tools become more popular and increase in number, this trend is likely to continue. Although network probes are technically not intrusions themselves, they should not be taken lightly—they may lead to actual intrusions in the future. As the saying goes, better be safe than sorry. In this article I'll explain the concepts behind two common network probes, as well as how they're performed and what can be done to detect them.
The most common type of network probe is probably the port scan. A port scan is a method used by intruders to discover the services running on a target machine. The intruder can then plan an attack on any vulnerable service that she finds. For example, if the intruder finds that port 143 (the IMAP port) is open, she may proceed to find out what version of IMAP is running on the target machine. If the version is vulnerable, she may be able to gain superuser access to the machine using an “exploit” (a program that exploits a security hole).
A port scan is actually very simple to perform. All we have to do is to connect to a series of ports on the machine and find out which ports respond and which don't. A simple port scanner can be written in under 15 minutes by a good programmer in a language such as Java or Perl. However, this kind of port scan is easily detectable by the operating system of the target machine. Listing 1 shows the traces produced by such a port scan in a log file (usually /var/log/messages) on a Linux box. Notice that a series of connections to various services occurred in a short span of three seconds. Since it's so easily detectable, most intruders will not run this kind of port scan against a machine these days.
Another sneakier, “stealthier” kind of port scan is called the “half-open” SYN scan. In this scan, the port scanner connects to the port but shuts down the connection right before a full connection occurs (hence the name “half-open”). Since a full connection never happened, the operating system of the target machine usually does not log the scan. This concept will be clearer if you're familiar with the inner workings of TCP/IP. In a normal TCP/IP connection, two devices need to complete a three-way handshake before initiating transmission. In a “half-open” SYN scan, the three-way handshake is never completed—the port scanner judges whether the port is open by the response given by the target machine.
Now that we've covered the basic concepts of port scanning, let's talk about the most popular and powerful network probing tool available today—Nmap (Network Mapper). Nmap is capable of conducting both types of port scans that I've discussed so far. It's also capable of performing other kinds of probes—some of which I'll cover later. Listing 2 shows a typical Nmap scan against a machine.
Now (you might be thinking) if “stealth” port scans are possible, how are we supposed to detect them? The good news is that such port scans are detectable using special tools. Solar Designer has developed such a tool called scanlogd, which is a dæmon that runs in a background and listens on the network interface for port scans. If a port scan is detected, scanlogd writes one line describing the scan using the syslog mechanism. Listing 3 shows a scan detected by scanlogd.
There are other tools that can detect port scans as well. I'll not cover them in this article, however. If you're interested, you can check out the Resources section at the end of this article. You might in particular want to check out tcplogd, a configurable TCP port scan detector (you can specify what kind of packets to log, avoid flooding and specify trusted hosts with it).
A ping sweep is another kind of network probe. In a ping sweep, the intruder sends a set of ICMP ECHO packets to a network of machines (usually specified as a range of IP addresses) and sees which ones respond. The whole point of this is to determine which machines are alive and which aren't. It's a bit like knocking on your neighbors' doors at 3 a.m. to see who's asleep and who's not (okay, don't try that). Once the intruder knows which machines are alive, he can focus on which machines to attack and work from there. Note that there are legitimate reasons for performing ping sweeps on a network—a network administrator may be trying to find out which machines are alive on a network for diagnostic reasons.
fping is a tool that can be used for conducting ping sweeps. fping takes a list of IP addresses and sends ping packets to them. Unlike normal ping, fping sends one ping packet to one IP address, and then proceeds immediately to the next IP address in a round-robin fashion. Listing 4 shows a simple Perl script that is used to generate a list of Class C IP addresses (192.168.0.1 to 192.168.0.20, in our example). Listing 5 shows how that Perl script can be used in conjunction with fping to discover which machines in that IP address range are alive on the network. The -a switch is used to show only machines that are alive without it (fping will show machines that are unreachable as well).
Like port scans, ping sweeps are detectable using special tools as well. ippl is an IP protocol logger that can log TCP, UDP and ICMP packets. It is similar to scanlogd, where it sits in the background and listens for packets. Listing 6 shows a line in the log file that demonstrates a ping packet being intercepted by ippl. Be careful when using ippl though—if you're on a busy Ethernet network, you might find that your ippl log files (usually at /var/log/ippl/*) may fill up rather quickly.
There are other ping detection tools available besides ippl—unfortunately, I haven't been able to look at them in detail. One that caught my interest was pingd, which is a userland dæmon that handles ICMP traffic at the host level. One neat feature of pingd is that it integrates with TCP Wrappers to allow you to specify who can ping you and who can't in TCP Wrappers' access control files (/etc/hosts.allow and /etc/hosts.deny).
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- RSS Feeds
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- Developer Poll
- Dart: a New Web Programming Experience
- What's the tweeting protocol?
- New Products
- Linux is good
1 hour 47 min ago - Reply to comment | Linux Journal
2 hours 4 min ago - Web Hosting IQ
2 hours 34 min ago - Web Hosting IQ
2 hours 35 min ago - Web Hosting IQ
2 hours 35 min ago - Reply to comment | Linux Journal
5 hours 36 min ago - play with linux? i think you mean work-around linux
14 hours 2 min ago - Where is Epistle?
14 hours 8 min ago - You forgot OwnCloud
14 hours 38 min ago - aplikasi free
17 hours 52 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Comments
Ping and Port Scanner
Are this an impact for a company ping sweeps and port scanners
syntax to use ping sweeping...
syntax to use ping sweeping...??????????
fping -g 192.168.1.0/24
fping -g 192.168.1.0/24
Re: Network Probes Explained: Understanding Port Scans and Ping
Question; What are the chances and how could it be done, of some outside agency collecting i/p addresses from active devices on a goverment LAN that has a system alraedy in places to monitor their own performance using a simple pingsweep mechanism themselves???