Chapter 30 ADP

30.8.1 Port Scanning

An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap.

Many connection attempts to different ports (services) may indicate a port scan. These are some port scan types:

TCP Portscan

UDP Portscan

IP Portscan

An IP port scan searches not only for TCP, UDP and ICMP protocols in use by the remote computer, but also additional IP protocols such as EGP (Exterior Gateway Protocol) or IGP (Interior Gateway Protocol). Determining these additional protocols can help reveal if the destination device is a workstation, a printer, or a router.

30.8.1.1 Decoy Port Scans

Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types:

TCP Decoy Portscan

UDP Decoy Portscan

IP Decoy Portscan

30.8.1.2Distributed Port Scans

Distributed port scans are many-to-one port scans. Distributed port scans occur when multiple hosts query one host for open services. This may be used to evade intrusion detection. These are distributed port scan types:

TCP Distributed Portscan

UDP Distributed Portscan

IP Distributed Portscan

30.8.1.3Port Sweeps

Many different connection attempts to the same port (service) may indicate a port sweep, that is, they are one-to-many port scans. One host scans a single port on multiple hosts. This may occur when a new exploit comes out and the attacker is looking for a specific service. These are some port sweep types:

TCP Portsweep

UDP Portsweep

IP Portsweep

ICMP Portsweep

 

451

ZyWALL USG 300 User’s Guide