TCP scanning
In order to establish which are the vulnerabilities that can be exploited on a remote machine, an attacker would normally launch a probe session which is also known as port scanning. One of the most common techniques used is TCP scanning. Through using special TCP scanning software, the attacker will usually attempt to connect to the target computer on various TCP ports. Usually this is done by starting with TCP Port 1 and then progressing until the last port (65535) is reached.
In order to improve efficiency of their port scanning, most TCP scanning programs will use multiple threads and custom timeout setting. A number of TCP scan operations will be launched in parallel, and therefore tens of ports can be checked per second. Also, many of these programs do not look for nonstandard ports but they rather focus on a fixed list of known TCP ports that the attacker can exploit. When combined with IP range scanning, this kind of software can be really effective in locating a machine running a particular service or sets of services that can then be exploited by the attacker.
Identifying a specific port on a remote machine as active, gives the attacker additional information about the service running, because the port numbers are commonly assigned to specific protocols. For example, TCP Port 21 is assigned to the FTP service, and TCP port 80 is commonly used for the HTTP service. However, attackers may want to verify this and/or identify additional services running on nonstandard ports. They can do this by using special software also known as protocol analyzers, which can identify the service assigned to a specific nonstandard port.
Although UDP scanning can be used as well, TCP scanning remains favourite because UDP scanning is much more tedious and results are more difficult to obtain, and the accuracy of detection depends on various network and machine related factors. It is to be mentioned that there are more types of TCP scanning, but the most common one is TCP scanning by connecting. During an individual attempt of connecting to a remote TCP port using this method, there are three stages. First, the attacker machine sends a TCP SYN packet towards the server (remote machine) to a TCP port which is supposed to be listening. If the server - remote machine accepts the connection, in the second stage a SYN/ACK packet is sent back to the client that originated the connection, and then in the third and last stage the client sends back to the server the ACK message. This kind of scanning is simple to implement but has the disadvantage from the attacker standpoint, of being highly visible to any kind of monitoring and logging functions available on the server.
A smarter attacker would probably make use of better techniques like TCP SYN. During this type of scanning, the TCP connection is never fully established. The first stage is the same, the client sends a SYN packet towards the server; the server responds in the second stage through a SYN/ACK packet, but this time the client sends back a RST/ACK packet instead; in this way the server is told that the connection is dropped and never completed. While this type of scanning works ok for the attacker since it shows clearly if a remote port is accepting connections, it is much more difficult to be detected by the server administrator since this kind of connection attempts are not logged by the server's logging system assigned to the service providing the connection on the TCP port being probed.
There are many other types of TCP scanning, that can be used to identify all closed ports, and even establish how the firewall is working - we won't get into details but as an example the TCP ACK method can establish whether the firewall is a simpler version of packet filter, or if it is a modern one that also performs stateful packet inspection and therefore thoroughly analysis of incoming packets is performed.
In order to protect yourself from TCP scanning, the first step is to install a firewall. There are more types of firewalls that can be used, but in most common cases a home user will download and install a software firewall on his/her computer. From then on, most software firewalls are set to learning mode; whenever a new connection is initiated, the firewall will warn the user and allow creating a rule that can from then on be used to filter incoming connections as desired. Another common situation is when a hardware firewall is used, either by installing a firewalled router or gateway computer in between the internet and the user's computer. The firewall will prevent all external TCP connections from reaching your computer, unless it is specially configured to permit such connections. For further protection, make sure you activate logging features of your firewall. Some firewalls can also email you when an attack is detected. Also, when a full logging is desired, keep in mind that most quality firewalls can make use of a syslog server and forward logging information to such a server for storage and later thorough analysis.
In order to improve efficiency of their port scanning, most TCP scanning programs will use multiple threads and custom timeout setting. A number of TCP scan operations will be launched in parallel, and therefore tens of ports can be checked per second. Also, many of these programs do not look for nonstandard ports but they rather focus on a fixed list of known TCP ports that the attacker can exploit. When combined with IP range scanning, this kind of software can be really effective in locating a machine running a particular service or sets of services that can then be exploited by the attacker.
Identifying a specific port on a remote machine as active, gives the attacker additional information about the service running, because the port numbers are commonly assigned to specific protocols. For example, TCP Port 21 is assigned to the FTP service, and TCP port 80 is commonly used for the HTTP service. However, attackers may want to verify this and/or identify additional services running on nonstandard ports. They can do this by using special software also known as protocol analyzers, which can identify the service assigned to a specific nonstandard port.
Although UDP scanning can be used as well, TCP scanning remains favourite because UDP scanning is much more tedious and results are more difficult to obtain, and the accuracy of detection depends on various network and machine related factors. It is to be mentioned that there are more types of TCP scanning, but the most common one is TCP scanning by connecting. During an individual attempt of connecting to a remote TCP port using this method, there are three stages. First, the attacker machine sends a TCP SYN packet towards the server (remote machine) to a TCP port which is supposed to be listening. If the server - remote machine accepts the connection, in the second stage a SYN/ACK packet is sent back to the client that originated the connection, and then in the third and last stage the client sends back to the server the ACK message. This kind of scanning is simple to implement but has the disadvantage from the attacker standpoint, of being highly visible to any kind of monitoring and logging functions available on the server.
A smarter attacker would probably make use of better techniques like TCP SYN. During this type of scanning, the TCP connection is never fully established. The first stage is the same, the client sends a SYN packet towards the server; the server responds in the second stage through a SYN/ACK packet, but this time the client sends back a RST/ACK packet instead; in this way the server is told that the connection is dropped and never completed. While this type of scanning works ok for the attacker since it shows clearly if a remote port is accepting connections, it is much more difficult to be detected by the server administrator since this kind of connection attempts are not logged by the server's logging system assigned to the service providing the connection on the TCP port being probed.
There are many other types of TCP scanning, that can be used to identify all closed ports, and even establish how the firewall is working - we won't get into details but as an example the TCP ACK method can establish whether the firewall is a simpler version of packet filter, or if it is a modern one that also performs stateful packet inspection and therefore thoroughly analysis of incoming packets is performed.
In order to protect yourself from TCP scanning, the first step is to install a firewall. There are more types of firewalls that can be used, but in most common cases a home user will download and install a software firewall on his/her computer. From then on, most software firewalls are set to learning mode; whenever a new connection is initiated, the firewall will warn the user and allow creating a rule that can from then on be used to filter incoming connections as desired. Another common situation is when a hardware firewall is used, either by installing a firewalled router or gateway computer in between the internet and the user's computer. The firewall will prevent all external TCP connections from reaching your computer, unless it is specially configured to permit such connections. For further protection, make sure you activate logging features of your firewall. Some firewalls can also email you when an attack is detected. Also, when a full logging is desired, keep in mind that most quality firewalls can make use of a syslog server and forward logging information to such a server for storage and later thorough analysis.
This information is provided without any warranties of any kind. Use it at your own risk. Terms and conditions