- Nmap Network Scanning
- Chapter 11.Defenses against Nmap
- Detect Nmap Sweeps
Some people believe that detecting port scans is a waste of time. They are so common that any organization connected to the Internet will be checked regularly. Very few of them represent targeted attacks. Many are Internet worms, relentlessly attacking in search of some Windows vulnerability or another. Some scans come from Internet research projects, others from curious or bored individuals exploring the Internet. I examined tens of thousands of IPs looking for good examples and empirical data for this book. Other scans are really malicious. Script childrenregularly scan huge ranges for systems susceptible to their exploit of the day. Although these people have bad intentions, they are likely to move forward on their own after they find no vulnerable services on your network. The biggest threat is attackers that specifically target your organization, yet they represent such a small percentage of detected scans that they are extremely difficult to distinguish. So many admins don't even bother recording portscans.
Other administrators have a different view. They claim that port scans are often harbingers of attacks and should at least be logged if not responded to. They often place detection systems on internal networks to reduce the flow of Internet port scanning activity. Logs are sometimes analyzed for trends or sent to third parties such as Dshield for worldwide correlation and analysis. Sometimes extensive logs and scary attack measurement charts are sent to management to justify adequate budgets.
System logs alone are rarely sufficient to detect port scans. Typically, only scan types that establish full TCP connections are logged, whereas the default Nmap SYN scan sneaks by. Even full TCP connections are only logged if the specific application explicitly does so. These error messages, when available, are usually cryptic. However, a bunch of error messages from different services issuing at the same time is a common indicator of scanning activity. intrusive scans,particularly those using Nmapversion detection, can be detected this way. But only if administrators actually read system logs regularly. the vastmost log messages are not read forever. Log monitoring tools such asLogwatchesamplecan certainly help, but the reality is that system logs are only marginally effective at detecting Nmap activity.
Special purpose port scan detectors are a more effective approach to detecting Nmap activity. Two common examples arePortSentryeScanlogdGenericName.Scanlogd has been around since 1998 and has been carefully designed for security. No vulnerabilities were reported during its lifetime. PortSentry offers similar features, as well as a reactive feature that blocks the source IP of suspicious scanners. Note that this reactive technique can be dangerous, as demonstrated inthe section called “Reactive port scan detection”.
Despite being subject to threshold-based attacks discussed inthe section called “Avoiding Intrusion Detection Systems”, these port scan detection tools work very well. However, the kind of administrator who cares enough to keep tabs on port scans will also want to know about more serious attacks, such as exploit attempts and installed backdoors. For this reason, intrusion detection systems that alert in a wide range ofsuspicious behavior are more popular than these special purpose tools.
Many vendors now sell intrusion detection systems, but Nmap users gravitate towards a lightweight open source IDS called Snort. Thisranked the third most popular security tool among a survey group of 3,243 Nmap users (
https://sectools.org). Like Nmap, Snort is enhanced by a global community of developers. It supports over two thousand rules to detect all kinds of suspicious activities, including port scans.
A properly installed and monitored IDS can be a tremendous security asset, but don't forget the risks discussed inthe section called “Subverting Intrusion Detection Systems”.Snort had several remotely exploitable vulnerabilities, as did many of its commercial competitors. Also, a skilled attacker can defeat most IDS rules, so don't let your guard down. IDSs often lead to a false sense of security.