Ports and port scanning - Open ports, closed ports and stealth ports
A common technique used in order to identify possible vulnerabilities on remote computers, in order to breach security measures on these computers and take control over them, is port scanning, in its most common format of TCP port scanning.
How does port scanning work? Well, an attacker will usually use a TCP port scanner to scan various ports on the remote computer. There are many types of port scanning software that these attackers can use; some of these tools are used to scan only certain ports from a given port list, and in this case the attacker tries to maximize his chances of finding a vulnerable machine through limiting the number of ports to be scanned on a given remote computer; there are other cases when the port scanner software actually scans all TCP ports. There are also mass computer port scanning tools that are used to scan networks or a large number of computers in short time, on a single port or using a predefined list of ports to be scanned. Either way, we can say TCP scanning is a very effective method in identifying remote computers that may have vulnerabilities that can be exploited and the machine can get into the hands of the attacker. Let's not forget that in order to compromise a machine, an attacker needs first of all to be able to connect to it. Through port scanning, the attacker will be able to find the needed 'doors', meaning open ports that can be used for attacking the machine.
What is the proper-countermeasure against port scanning? Well, the best thing to do is to use a firewall to block access to open ports on your computer. There are various tools that you can use for this purpose, but they usually fall into two categories – hardware firewalls and software firewalls. A hardware firewall is some sort of appliance that you buy from a computer store and install it at your home or office, in between the Internet and your local network or computer(s). A software firewall is a program that you install on your computer and protects it from inbound connection attempts and other types of attacks and intrusion attempts. The best thing to do in order to protect yourself, would be to have both if possible.
Getting back to ports, there are three types of responses a port scanner can get when scanning your machine for given ports. The first situation is when 'open ports' are being found. These ports are in stand by mode, waiting for incoming connections; whenever such connections are detected, an open port responds by accepting the connection and then data can be transferred in between the local and remote computer. This also means that the computer with open ports acts as server, while the machine connecting to it acts as client. (Please note that it is a common situation to have several open TCP ports on your machine, if you are using a Windows computer). An open port is like a gateway for attackers, allowing them to get into your computer; it is therefore recommended to block as many ports as possible through using a firewall, and/or disable any unnecessary services running on the machine.
The second type of response that can be encountered, is a closed port. This means that an attacker cannot use this port to connect to the machine, however it has the disadvantage of disclosing some information to the attacker: the fact that the port in closed state is actually used on your computer, although access to it has been disabled. In this case you enjoy better security, but indeed some information is still being disclosed.
Finally, the third type of response in case of remote TCP port scanning, is finding a stealth port. In such a case, the machine does not provide any kind of response to the port scanner software. It is recommended to use a firewall that puts ports into stealth mode, as this is the most secure configuration, because in this case no information about services running inside your computer will be disclosed.
How does port scanning work? Well, an attacker will usually use a TCP port scanner to scan various ports on the remote computer. There are many types of port scanning software that these attackers can use; some of these tools are used to scan only certain ports from a given port list, and in this case the attacker tries to maximize his chances of finding a vulnerable machine through limiting the number of ports to be scanned on a given remote computer; there are other cases when the port scanner software actually scans all TCP ports. There are also mass computer port scanning tools that are used to scan networks or a large number of computers in short time, on a single port or using a predefined list of ports to be scanned. Either way, we can say TCP scanning is a very effective method in identifying remote computers that may have vulnerabilities that can be exploited and the machine can get into the hands of the attacker. Let's not forget that in order to compromise a machine, an attacker needs first of all to be able to connect to it. Through port scanning, the attacker will be able to find the needed 'doors', meaning open ports that can be used for attacking the machine.
What is the proper-countermeasure against port scanning? Well, the best thing to do is to use a firewall to block access to open ports on your computer. There are various tools that you can use for this purpose, but they usually fall into two categories – hardware firewalls and software firewalls. A hardware firewall is some sort of appliance that you buy from a computer store and install it at your home or office, in between the Internet and your local network or computer(s). A software firewall is a program that you install on your computer and protects it from inbound connection attempts and other types of attacks and intrusion attempts. The best thing to do in order to protect yourself, would be to have both if possible.
Getting back to ports, there are three types of responses a port scanner can get when scanning your machine for given ports. The first situation is when 'open ports' are being found. These ports are in stand by mode, waiting for incoming connections; whenever such connections are detected, an open port responds by accepting the connection and then data can be transferred in between the local and remote computer. This also means that the computer with open ports acts as server, while the machine connecting to it acts as client. (Please note that it is a common situation to have several open TCP ports on your machine, if you are using a Windows computer). An open port is like a gateway for attackers, allowing them to get into your computer; it is therefore recommended to block as many ports as possible through using a firewall, and/or disable any unnecessary services running on the machine.
The second type of response that can be encountered, is a closed port. This means that an attacker cannot use this port to connect to the machine, however it has the disadvantage of disclosing some information to the attacker: the fact that the port in closed state is actually used on your computer, although access to it has been disabled. In this case you enjoy better security, but indeed some information is still being disclosed.
Finally, the third type of response in case of remote TCP port scanning, is finding a stealth port. In such a case, the machine does not provide any kind of response to the port scanner software. It is recommended to use a firewall that puts ports into stealth mode, as this is the most secure configuration, because in this case no information about services running inside your computer will be disclosed.
This information is provided without any warranties of any kind. Use it at your own risk. Terms and conditions