A review of port scanning techniques

Vivo, Marco de; Carrasco, Eddy; Isern, Germinal; Vivo, Gabriela O. de

doi:10.1145/505733.505737

Cited by 90 publications

(43 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since data transfer can be possible only through the established connection, for any successful TCP communication need to have more than three packets. But in the scanning time, an attacker's intention is only to verify status of the port, and therefore most of the connection will terminate before the completion of three way handshake process [17]. Moreover, if three-way handshake does not happen, connection details cannot be identified by log analysis.…”

Section: Detection Methodsmentioning

confidence: 99%

ADRISYA: A Flow Based Anomaly Detection System for Slow and Fast Scan

Muraleedharan¹,

Parmar²

2010

IJNSA

View full text Add to dashboard Cite

show abstract

Section: Detection Methodsmentioning

confidence: 99%

ADRISYA: A Flow Based Anomaly Detection System for Slow and Fast Scan

Muraleedharan¹,

Parmar²

2010

IJNSA

View full text Add to dashboard Cite

show abstract

“…Thus, the server becomes unreachable by legitimate users, causing a significant financial loss in some cases. Port scan is a particular DoS attack that aims to discover available services on the targeted system [1]. It essentially consists of sending an IP packet to each port and analyzing the response to the connection attempts.…”

Section: Problem Statementmentioning

confidence: 99%

How can sliding HyperLogLog and EWMA detect port scan attacks in IP traffic?

Chabchoub

Chiky

Dogan

2014

EURASIP J. on Info. Security

View full text Add to dashboard Cite

IP networks are constantly targeted by new techniques of denial of service attacks (SYN flooding, port scan, UDP flooding, etc), causing service disruption and considerable financial damage. The on-line detection of DoS attacks in the current high-bit rate IP traffic is a big challenge. We propose in this paper an on-line algorithm for port scan detection. It is composed of two complementary parts: First, a probabilistic counting part, where the number of distinct destination ports is estimated by adapting a method called 'sliding HyperLogLog' to the context of port scan in IP traffic. Second, a decisional mechanism is performed on the estimated number of destination ports in order to detect in real time any behavior that could be related to a malicious traffic. This latter part is mainly based on the exponentially weighted moving average algorithm (EWMA) that we adapted to the context of on-line analysis by adding a learning step (supposed without attacks) and improving its update mechanism. The obtained port scan detecting method is tested against real IP traffic containing some attacks. It detects all the port scan attacks within a very short time response (of about 30 s) and without any false positive. The algorithm uses a very small total memory of less than 22 kb and has a very good accuracy on the estimation of the number of destination ports (a relative error of about 3.25%), which is in agreement with the theoretical bounds provided by the sliding HyperLogLog algorithm.

show abstract

“…UDP scanners typically send some empty UDP datagrams [9] to the UDP ports of SUT and decide the port status based on the UDP packet response. Nmap and Nessus [10] send application specific UDP probes to increase the efficiency in discovering the state of UDP packet.…”

Section: Related Workmentioning

confidence: 99%

An Innovative UDP Port Scanning Technique

Kumar¹,

Sudarsan²

2014

IJFCC

View full text Add to dashboard Cite

Abstract-In this paper, we address the challenge of speeding up UDP port scan. We propose a novel scanning technique to perform significantly faster UDP port scanning when the target machine is directly connected to port scanner by utilizing multiple IP addresses. Our experiments show that both Linux and Windows systems could be scanned faster. In particular the speed up in tested Linux systems using our scanner are about 19000% in comparison with traditional port scan method.

show abstract

A review of port scanning techniques

Cited by 90 publications

References 1 publication

ADRISYA: A Flow Based Anomaly Detection System for Slow and Fast Scan

ADRISYA: A Flow Based Anomaly Detection System for Slow and Fast Scan

How can sliding HyperLogLog and EWMA detect port scan attacks in IP traffic?

An Innovative UDP Port Scanning Technique

Contact Info

Product

Resources

About