Are Port Scans Precursors to Attack?

Interesting research:

Port scans may not be a precursor to hacking efforts, according to conventional wisdom, reports the University of Maryland’s engineering school.

An analysis of quantitative attack data gathered by the university over a two-month period showed that port scans precede attacks only about five percent of the time, said Michel Cukier, a professor in the Centre for Risk and Reliability. In fact, more than half of all attacks aren’t preceded by a scan of any kind, Cukier said.

I agree with Ullrich, who said that the analysis seems too simplistic:

Johannes Ullrich, chief technology officer at the SANS Institute ‘s Internet Storm Center, said that while the design and development of the testbed used for the research appears to be valid, the analysis is too simplistic.

Rather than counting the number of packets in a connection, it’s far more important to look at the content when classifying a connection as a port scan or an attack, Ullrich said.

Often, attacks such as the SQL Slammer worm, which hit in 2003, can be as small as one data packet, he said. A lot of the automated attacks that take place combine port and vulnerability scans and exploit code, according to Ullrich.

As a result, much of what researchers counted as port scans may have actually been attacks, said Ullrich, whose Bethesda, Md.-based organization provides Internet threat-monitoring services.

Tags: computer security, exploits, hacking, malware, network security, vulnerabilities

Posted on December 15, 2005 at 6:38 AM • 23 Comments

Comments

Shawn • December 15, 2005 8:35 AM

That doesn’t really shock me. I think at this point most attackers know that a port scan looks like the equivalent of walking around a building and checking all the locks. In daylight. Wearing reflective clothing.

Though the research does assume that the scanning and attacking would have to originate from the same IP address for it to come from the same attacker.

kevin osborne • December 15, 2005 8:42 AM

it is not my experience that port scans are benign.

as someone who recently up a home-based web/shell server for the first time, I was port scanned within a day of registering my domain name.

ssh dictionary attacks followed within hours, and haven’t stopped since; all from open proxies worldwide. I use the open source project Fail2Ban to protect both sshd and apache. Apache attacks started within hours of me linking to my home site on my blog.

In my experience windows machines are worm infected within minutes if brought online unpatched – even if only connecting to windows update.

the net as I know it is a storm of malicious packets, and seems to be becoming more predatory.

To combat this, I wonder if in the future networks such as aol/msn will provide services within an operator-style walled garden, where vpn access to a closed system will be the norm; and the heterogenous interweb will cede to the private domains evidenced in modern mass media. what will become of the content not sold in the mall? the ever growing billions of pages that spell hope for consensus. the court of common opinion would surely be further isolated and therefore diminished by such a move.

Hubert T. Farquarson • December 15, 2005 8:56 AM

The distinction should be made that port-scans may not precede non-directed attacks, but surface mapping is still an essential tactic to directed intrusion where no prior knowledge regarding the target is available.

Ed T. • December 15, 2005 8:57 AM

Here’s another thing the researchers appear to have missed: There are cases (such as Port 1433/SQLSnake attacks) where the scanning was done ahead of the worm being released (about 2 weeks IIRC), and the results of the scan were programmed into the worm to target vulnerable networks. I would be looking for ‘port scan sweeps’ where entire network blocks (possibly the entire Internet) is being scanned (possibly from multiple sources, which makes identification more difficult.)

The type of port scan we have seen with the ’15 minutes of fame’ type of attack is probably passe — now you just blast attack packets out, shotgun-style, and see what you hit. The real portscans we need to be worried about are the ones being conducted by the professionals, who are looking for a way into our networks. Sending out 1 packet a day (or even less often) to evade your normal IDS, changing to a different dynamic IP (or even using a different zombie in a botnet), and doing other things to hide their nefarious doings.

-EdT.

Clive Robinson • December 15, 2005 9:05 AM

Think of it from a reasonably intelegent attackers point of view,

Today I scan 5000 sites (automatically) to get my data on them, I do this through a proxy site of some kind as I do not wish to be easily traced (I also assume it is burned after the scan). Because I am enumerating not attacking I tend to be noisy about my enumeration, it’s a time/number of sites trade off.

Some time thereafter I look through the data and look for the “lowest hanging” fruit, these sites I start having a little dig at to see how open they actually are. I use a differnet set of tools to those I enumerated with, and I do it from a different proxy machine, as I have reason to belive the site is vulnerable to sertain attacks I can be very stealthy.

Of those “low hanging fruit” sites that are open to me I turn these into new proxies and give my old proxies a rest (I’m assuming they are probably burned for these sites anyway).

Some time later I start looking at the less low hanging fruit from the original scan from my new proxies and with a diferent set of tools that are more stealthy (ie I am actually doing an atack scan not an enumerating scan).

How as an observer on a moderatly secure site do I get objective data on the person doing the scans and the attack? They are for all intents and purposes uncorelated unless the attacker is realy stupid.

So I would expect a very low corelation between an enumerating scan a precursory attack scan and a final stealthy attack.

A Reader • December 15, 2005 9:49 AM

The full description of the research is (I hate evaluating research based on journalist-summaries and interviews):
An experimental evaluation to determine if port scans are precursors to an attack
Panjwani, S.; Tan, S.; Jarrin, K.M.; Cukier, M.;
Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on
28 June-1 July 2005 Page(s):602 – 611
Digital Object Identifier 10.1109/DSN.2005.18

Summary: This paper describes an experimental approach to determine the correlation between port scans and attacks. Discussions in the security community often state that port scans should be considered as precursors to an attack. However, very few studies ha…..

Augusto Paes de Barros • December 15, 2005 9:55 AM

Portscan are not benign, they are simply desnecessary. I worked for a company that used to be hired to perform Penetration Tests. We didn’t perform portscans, as our main way of entering the customer network was through backdoors sent to internal users, wireless connections and things like that.

J.D. Abolins • December 15, 2005 10:32 AM

Half-jesting, I wonder how many portscan hits encountered may be the products of 1) amateur penetration analysis practice with no intent of breaking in, 2) Linux newbies playing with the nmap package they found in the distro, or 3) users misguidedly trying to evaluate the security of their workplace servers/ISP servers/system connected to them.

In any case, the cry “We’re under attack… we’ve been portscanned” is alarmist. Just like the cry “We’ve been Googled… they’re after us.”

Alun Jones • December 15, 2005 10:40 AM

Can we please use language, or mathematics, effectively?
The study (as quoted here) doesn’t address the question asked – “are portscans always (or often) precursor to attacks?” The answer given is “five per cent of attacks were preceded by portscans”. That is answering a different question – “are attacks always (or often) preceded by portscans?”
The statistic that should be analysed is what portion of portscans were followed by attacks, not what portion of attacks were preceded by portscans.
For those of you not following the mathematics, picture this – 100 attacks, and five portscans, but each portscan is immediately followed by an attack. That statistic would mean that portscans are a precursor to an attack – that you can use detection of a portscan to predict a coming attack. If that was the statistic, then this would be news you can use – you can start adding firewall rules after detecting a portscan.
Of course, the statistic could go the other way – 100 attacks, 1,000 portscans, of which five were associated with the attack – still the 5% rate quoted in the article, but in that case, you could not use a portscan as a predictor of a coming attack.

mjk • December 15, 2005 11:03 AM

I took a computer security class recently, and it covered ways of optimizing the effect of an attack. One of the ways was to build a list of profiles for millions of machines before any exploit is available. This way when an exploit is available a quick query of your database of machines gives you a list of targets that you can attack without arousing suspicion because they were scanned long ago.

jammit • December 15, 2005 11:12 AM

@J.D. Abolins said–
2) Linux newbies playing with the nmap package they found in the distro

Yep, that’s me. I had to try that twice. Once just to play with it, and another to play with a guy who spammed me. The guy who spammed me was an idiot and I realized I didn’t need to nmap him. I finally figured out the first thing I should have tried to do was simply use SMB and see if I could mount his drives. I left him a few messages and used his drive as a temporary storage for myself.

Phillip • December 15, 2005 11:23 AM

NMAP has a decoy port scan which can make one port scan coming from one source appear to be mulyiple scans from many sources.

Rafael Hashimoto • December 15, 2005 1:19 PM

I agree that portscan are no longer a major indication that a network attack is in course. Today I would expect to see more service probes (several connection attempts to one service port in several host) than a port scan looking all possible ports in one or more hosts. That’s because the huge number of Script Kiddies running *acker tools that they downloaded in the net or that came with a *acker magazine. There is also a incresing focus on attacks against applications, using techiniques like SQL Injection or XSS, that would explain why you are no longer seeing port scans preceding an attack. But, there are also several ways to ran a port scan without be detected. You can use a bot network to send a few packets from each zoombie machine, you can use the Paranoid switch from Nmap, you can send several spoofed packets to hide your scan in the volume, you can run an port scan today and try to explore the services found next week. Any of these methods and several other would prevent you from been detected or to allow the sec admin to correlate the port scan with the attack itself.

Davi Ottenheimer • December 15, 2005 3:21 PM

Gee whiz. Are handshakes precursors to fights? Are long stares precursors to love? Does a chicken have lips? Ullrich is absolutely correct that the analysis is lacking…portscans are just like every other administrative tool or procedure, a double-edged sword. For example, did the researchers account for the fact that many portscans are actually done in an attempt to help prevent an attack?

Davi Ottenheimer • December 15, 2005 4:39 PM

The article states:

“Only 28 out of 760 IP addresses that were tied to attacks against the university’s computers had launched a port scan, Cukier said. In contrast, 381 of the IP addresses launched attacks without any previous port-scanning activity.”

Odd. It is as though the researchers believe an attacker would use a valid IP address, let alone reuse the same bogus IP hours or even days after a port scan is done. I do not discount the fact that attacks might come without any prior port scan (some attacks are sloppy and they just don’t care, others might be lucky), but it’s not clear that port scans should be “ruled out” as a reliable precursor or warning, let alone a potential one.

Here’s the conclusion in the original report:
http://www.enre.umd.edu/faculty/cukier/81_cukier_m.pdf

“The experimental results showed that over 50% of the attacks were not preceded by a scan. Among the scans leading the more frequently to an attack were vulnerability scans and combinations of port and vulnerability scans. Therefore, port scans combined with vulnerability scans might be a relevant indicator of a coming attack. However, based on the results of this experiment, only port scans did not appear to be a good indicator of a future attack.”

kyphros • December 15, 2005 6:53 PM

@Jammit

Congrats, you just 0wned some unwitting user’s box. The spam you received most likely came from a proxy running on someone’s home pc, dropped off by whatever worm compromised them last.

Storing files on their PC? Are you insane? Where I live, that’s very illegal. It might not be where you are, but it’s not a good idea even if it is legal.

Davi Ottenheimer • December 15, 2005 7:58 PM

“see if I could mount his drives”

That’s definitely illegal in Texas.

jammit • December 15, 2005 10:35 PM

I wasn’t clear. His machine wasn’t sending spam, he was. I don’t know if storing files on his machine was illegal, but in his case I really didn’t care. The first thing I did after I mounted his drive was to look around. In a little while I found out he was the spammer, not an infected windows user. I found his email address in some of his files and I actually emailed the guy, nicely. Instead of apologizing, he sent me back a “flock ewe” (or something similar) and even more beastiality spam. He crossed a line and I pushed back. One thing I didn’t do was format or delete his stuff. I figured a retard like that would hang himself. The last thing I did was to look at the spam and see what was behind the “click here to see more action” button. It was basically a link to his website that had my email addy in the url, so I replaced my email string with president@whitehouse.gov.

So in Texas it’s illegal to mount drives, but livestock is ok?
</funny mode>

jammit • December 15, 2005 10:43 PM

Oops, I meant the Texas comment as a gentle ribbing, not a whole hearted slam. I forgot to add the 😉

vdshmn • December 15, 2005 11:48 PM

?????????
IC???座
 ???锈钢???应釜

Rafael Hashimoto • December 16, 2005 5:33 AM

If only 28 out of 760 IP address launched a port scan prior to the attack and 381 didn’t, what did happens to the other 351 IP addresses?

Savik • December 16, 2005 10:06 AM

The best answer to this question is:

Maybe.

and

Sometimes.