Chapter 30 ADP

Many connection attempts to different ports (services) may indicate a port scan. These are some port scan types:

TCP Portscan

UDP Portscan

IP Portscan

An IP port scan searches not only for TCP, UDP and ICMP protocols in use by the remote computer, but also additional IP protocols such as EGP (Exterior Gateway Protocol) or IGP (Interior Gateway Protocol). Determining these additional protocols can help reveal if the destination device is a workstation, a printer, or a router.

Decoy Port Scans

Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types:

TCP Decoy Portscan

UDP Decoy Portscan

IP Decoy Portscan

Distributed Port Scans

Distributed port scans are many-to-one port scans. Distributed port scans occur when multiple hosts query one host for open services. This may be used to evade intrusion detection. These are distributed port scan types:

TCP Distributed Portscan

UDP Distributed Portscan

IP Distributed Portscan

Port Sweeps

Many different connection attempts to the same port (service) may indicate a port sweep, that is, they are one-to-many port scans. One host scans a single port on multiple hosts. This may occur when a new exploit comes out and the attacker is looking for a specific service. These are some port sweep types:

TCP Portsweep

UDP Portsweep

IP Portsweep

ICMP Portsweep

Filtered Port Scans

A filtered port scan may indicate that there were no network errors (ICMP unreachables or TCP RSTs) or responses on closed ports have been suppressed. Active network devices, such as NAT routers, may trigger these alerts if they send out many connection attempts within a very small amount of time. These are some filtered port scan examples.

TCP Filtered Portscan

UDP Filtered Portscan

IP Filtered Portscan

TCP Filtered Decoy

UDP Filtered Decoy

IP Filtered Decoy

 

Portscan

 

Portscan

 

Portscan

524

 

ZyWALL USG 100/200 Series User’s Guide