portscans n.
Skip this Video
Loading SlideShow in 5 Seconds..
Portscans PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 41

Portscans - PowerPoint PPT Presentation

  • Uploaded on

Portscans. Jonathon Giffin giffin@cs.wisc.edu April 25, 2001. In This Talk. Why scan? Anatomy of a portscan Methods Classical detection methods Statistical packet anomaly detection Responding to a portscan Q&[maybe]A. Why Portscan: Black Hats. Locate exploitable machines

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Portscans' - gizi

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


Jonathon Giffin


April 25, 2001

in this talk
In This Talk...
  • Why scan?
  • Anatomy of a portscan
  • Methods
  • Classical detection methods
  • Statistical packet anomaly detection
  • Responding to a portscan
  • Q&[maybe]A
why portscan black hats
Why Portscan: Black Hats
  • Locate exploitable machines

Say, FTP Servers:

cecil.cs.wisc.edu ( open

bobby.cs.wisc.edu ( closed

ross.cs.wisc.edu ( closed

joyce.cs.wisc.edu ( open

  • Fingerprint operating systems
  • Monitor services running on own networks
  • Test security policies
anatomy of a portscan
Anatomy of a Portscan
  • Scan footprint
    • Set of IPs and ports scanned
    • Defines attacker’s information gathering requirements
  • Horizontal scan
    • Scan same port across multiple machines
    • Idea: attacker has an exploit for this particular service
scan footprint
Scan Footprint
  • Vertical scan
    • Scan multiple ports on a single machine
    • Idea: looking for vulnerable services on a specific machine

e3-16.foundry2.cs.wisc.edu (

23/tcp open telnet

25/tcp filtered smtp

111/tcp filtered sunrpc

515/tcp filtered printer

scan footprint1
Scan Footprint
  • Block scan

Host 21 telnet 22 ssh 23 ftp

cygnet open open open

cilantro open open open

xena open open open

bodik-soho closed closed closed

salsa open open open

bobby closed closed closed

anatomy of a portscan1
Anatomy of a Portscan
  • Scan script
    • Method of carrying out scan
    • Defines how a given footprint will be scanned
  • Footprint and script together compose a portscan
  • Scan tools available
    • Nmap
      • http://www.insecure.org/nmap/
      • Portscans, OS fingerprinting
    • QueSO
      • http://apostols.org/projectz/queso/
      • OS fingerprinting
ping scan
Ping Scan
  • Reveals network topology

Host krishna.cs.wisc.edu ( appears to be up.

Host ursula.cs.wisc.edu ( appears to be up.

Host antipholus.cs.wisc.edu ( appears to be up.

Host ferdinand.cs.wisc.edu ( appears to be up.

Host wonderwoman.cs.wisc.edu ( appears to be up.

Host thugbert.cs.wisc.edu ( appears to be up.

Host paneer.cs.wisc.edu ( appears to be up.

Host coral.cs.wisc.edu ( appears to be up.

Host crow.cs.wisc.edu ( appears to be up.

Host chef.cs.wisc.edu ( appears to be up.

udp scan
UDP Scan
  • Send any data to UDP port
  • Receive ICMP port unreachable: port closed
  • No response: port open or blocked
vanilla syn scan
Vanilla SYN Scan

Client Server



connect returns






accept returns





vanilla syn scan1
Vanilla SYN Scan

crash10.cs.wisc.edu.42977 > malakai.cs.wisc.edu.telnet: S

malakai.cs.wisc.edu.telnet > crash10.cs.wisc.edu.42977: S ack

crash10.cs.wisc.edu.42977 > malakai.cs.wisc.edu.telnet: . ack

crash10.cs.wisc.edu.42977 > malakai.cs.wisc.edu.41212: F

  • Defense
    • Log completed connections that are immediately closed
half open syn scan
Half-Open SYN Scan

Client Server

raw socket


constructed packet

constructed packet








half open syn scan1
Half-Open SYN Scan

crash10.cs.wisc.edu.42977 > malakai.cs.wisc.edu.telnet: S

malakai.cs.wisc.edu.telnet > crash10.cs.wisc.edu.42977: S ack

crash10.cs.wisc.edu.42977 > malakai.cs.wisc.edu.telnet: R

  • Defense
    • Log all SYN packets received
stealth scans
Stealth Scans
  • Attempt to avoid server logging
  • Send invalid TCP packets
  • SYNFIN scan
  • XMAS scan
  • FIN scan
    • Windows avoids this scan because its stack is broken (surprise)
  • Null scan
ftp bounce scan
FTP Bounce Scan
  • RFC 959 defines FTP proxy
  • Run portscan via an FTP proxy
other possibilities
Other Possibilities
  • RFC 1413 defines ident protocol
    • Find services running as root


Port State Service Owner

23/tcp open telnet root

25/tcp open smtp root

79/tcp open finger root

80/tcp open http apache

111/tcp open sunrpc rpc

113/tcp open auth nobody

other possibilities1
Other Possibilities
  • Insert decoy scans

microsoft.com.54177 > malakai.cs.wisc.edu.352: S

malakai.cs.wisc.edu.660 > crash10.cs.wisc.edu.54177: R

crash10.cs.wisc.edu.54177 > malakai.cs.wisc.edu.128: S

os fingerprinting
OS Fingerprinting
  • Identification of the operating system running on a remote machine
  • Different kernels perform differently
    • TCP options
    • Initial sequence number
    • ICMP error messages
    • IP fragment overlap
os fingerprinting1
OS Fingerprinting

Machine Operating System

www Solaris 2.6-2.7, Solaris 7

pub-nt2 WinNT4 / Win95 / Win98

malakai Linux 2.1.122 - 2.2.14

e3-16.foundry2 No OS Match

dns Solaris 2.6-2.7, Solaris 7

crash8 Linux 2.1.122 - 2.2.14

crash10 Linux 2.1.122 - 2.2.14

crash12 No OS Match

openbsd.org Solaris 2.6

classical detection
Classical Detection
  • N events in time M
    • Typically measure hits on closed ports
    • Slow scan down to avoid detection
  • Heuristics
    • Hits on empty IP addresses
statistical packet anomaly detection
Statistical Packet Anomaly Detection
  • Stuart Staniford, James Hoagland, and Joseph McAlerny of Silicon Defense
  • “Practical Automated Detection of Stealthy Portscans”
  • Conjecture
    • Traffic patterns characteristic of portscans have low rates of occurrence
statistical packet anomaly detection1
Statistical Packet Anomaly Detection

Anomaly correlation engine

Layer 2

Layer 1

Anomaly detection engine

Packet collection;

Probability table construction

Layer 0

layer 0
Layer 0
  • Build characteristic of expected traffic
    • Packet collection
      • Filtering
    • Probability table construction
      • Using header features, store probability of any given packet entering the network
      • Adapt probabilities to changing network use
layer 1
Layer 1
  • Anomaly detection
    • Rate the anomalousness of each incoming packet
    • Pass any packet with anomalousness above an anomaly threshold to the correlator
layer 2
Layer 2
  • Anomaly correlation
    • Reconstruct portscans from anomalous traffic
    • Find clusters of similar packets
data flows
Data Flows


Anomaly correlation engine

Anomaly detection engine





Prob table


  • Packet collection
    • Restricting to SYN packets
  • Probability tables
    • Relevant header fields
    • Joint probabilities
    • Bayes’ Net
mutual entropy
Mutual Entropy

4.9 million SYN packets incoming to CS networks

H( DestAddr ): 6.927819

H( DestAddr | SrcAddr ): 2.091069

H( DestAddr | DestPort ): 4.064494

H( DestAddr | SrcAddr, DestPort ): 1.274497

H( DestAddr | SrcPort ): 4.631317

H( DestAddr | SrcAddr, SrcPort ): 1.075178

H( DestAddr | DestPort, SrcPort ): 2.580522

H( DestAddr | Time ): 5.348499

H( DestAddr | SrcAddr, Time ): 0.862256

H( DestAddr | DestPort, Time ): 1.540623

H( DestAddr | SrcPort, Time ): 1.508940

bayes net
Bayes’ Net






anomaly detection engine
Anomaly Detection Engine
  • Staniford’s model: packets in isolation
  • Experiment: N size window

p1 pN

Given packets , :

anomaly correlation engine
Anomaly Correlation Engine
  • Staniford’s algorithm: bond graph
    • ad hoc clustering method
  • Experiment: use established clustering algorithms
field relationships in a vertical scan example
Field Relationships in a Vertical Scan Example >,TCP >,TCP >,TCP >,TCP >,TCP >,TCP >,TCP >,TCP >,TCP >,TCP >,TCP

open questions
Open Questions
  • Data set size necessary to establish traffic characteristic
  • Relevant header fields
  • Manner of measuring probability
  • Threshold values
  • Malleability of traffic characteristic
  • Packet types captured
advantages of statistical packet anomaly detection
Advantages of Statistical Packet Anomaly Detection
  • Adaptive to changing network topology
  • Encompasses classical detection methods
  • Useful beyond port scans
  • Learning curve may be slow
  • Anomalous packets skew expected traffic characteristic
  • Does not evaluate payload
  • Few relevant header fields
  • Correlator must handle many false positives
responding to a port scan
Responding to a Port Scan
  • What is appropriate action?
    • No legal recourse
    • Block at firewall? Set up for DoS:

microsoft.com > malakai.cs.wisc.edu: icmp: echo request

    • Log for later legal purposes?
    • Tighten network security?
  • Purposes
    • Exploration of remote services
    • OS fingerprinting
  • Port scans have evolved to counter detection methods
  • Classical detection methods inadequate
  • Statistical packet anomaly detection offers an adaptive scan identifier
  • Maybe I’ll know the answer
  • But hey, I do know slides are posted at http://www.cs.wisc.edu/~giffin
  • Fyodor. “The Art of Port Scanning.” Phrack 51, volume 7. September 1, 1997.
  • Fyodor. “Remote OS detection via TCP/IP Stack Fingerprinting.” Phrack 54, volume 8. December 25, 1998.
  • Maimon, Uriel. “Port Scanning Without the SYN Flag.” Phrack 49, volume 7.
  • Man pages, nmap.
  • Solar Designer. “Designing and Attacking Port Scan Detection Tools.” Phrack 53, volume 8. July 8, 1998.
  • Staniford, Stuart, James A. Hoagland, Joseph M. McAlerny. “Practical Automated Detection of Stealthy Portscans.”