Are Port Scans Precursors to Attack?
Interesting research:
Port scans may not be a precursor to hacking efforts, according to conventional wisdom, reports the University of Maryland’s engineering school.
An analysis of quantitative attack data gathered by the university over a two-month period showed that port scans precede attacks only about five percent of the time, said Michel Cukier, a professor in the Centre for Risk and Reliability. In fact, more than half of all attacks aren’t preceded by a scan of any kind, Cukier said.
I agree with Ullrich, who said that the analysis seems too simplistic:
Johannes Ullrich, chief technology officer at the SANS Institute ‘s Internet Storm Center, said that while the design and development of the testbed used for the research appears to be valid, the analysis is too simplistic.
Rather than counting the number of packets in a connection, it’s far more important to look at the content when classifying a connection as a port scan or an attack, Ullrich said.
Often, attacks such as the SQL Slammer worm, which hit in 2003, can be as small as one data packet, he said. A lot of the automated attacks that take place combine port and vulnerability scans and exploit code, according to Ullrich.
As a result, much of what researchers counted as port scans may have actually been attacks, said Ullrich, whose Bethesda, Md.-based organization provides Internet threat-monitoring services.
Shawn • December 15, 2005 8:35 AM
That doesn’t really shock me. I think at this point most attackers know that a port scan looks like the equivalent of walking around a building and checking all the locks. In daylight. Wearing reflective clothing.
Though the research does assume that the scanning and attacking would have to originate from the same IP address for it to come from the same attacker.