- Nmap Network Scanning
- Chapter11.Defenses Against Nmap
- Detect Nmap Scans
Some people believe that detecting port scans is a waste oftime. They are so common that any organization connected to theInternet will be regularly scanned. Very few of these representtargeted attacks. Many are Internet worms endlessly pounding awayseeking some Windows vulnerability or other. Some scans come fromInternet research projects, others from curious or bored individualsexploring the Internet. I scanned tens of thousands of IPs seekinggood examples and empirical data for this book. Other scans actuallyare malicious.Script kiddiesregularly scan huge ranges for systemssusceptible to their exploit du jour. While these folks have badintentions, they are likely to move along on their own after findingno vulnerable services on your network. The biggest threat are attackersspecifically targeting your organization, though those represent sucha small percentage of detected scans that they are extremely tough todistinguish. So many administrators do not even bother recording portscans.
Other administrators take a different view. They contend thatport scans are often precursors to attacks, and should at leastbe logged if not responded to. They often place detection systems oninternal networks to reduce the flood of Internet port scan activity.The logs are sometimes analyzed for trends, or submitted to 3rdparties such as Dshield for world-wide correlation and analysis.Sometimes extensive logs and scary graphs measuring attacks aresubmitted to management to justify adequate budgets.
System logs alone are rarely sufficient for detecting portscans. Usually only scan types that establish full TCP connectionsare logged, while the default Nmap SYN scan sneaks through. Even fullTCP connections are only logged if the particularapplication explicitly does so. Such error messages, whenavailable, are often cryptic. However, a bunch of different servicesspouting error messages at the same time is a common indicator ofscanning activity.Intrusive scans,particularly those using Nmapversion detection, can often be detected this way. But only ifthe administrators actually read the system logs regularly. The vastmajority of log messages go forever unread. Log monitoring tools such as Logwatch and Swatch can certainlyhelp, but the reality is that system logs are only marginallyeffective at detecting Nmap activity.
Special purpose port scan detectors are a more effectiveapproach to detecting Nmap activity. Two common examples are PortSentryand Scanlogd.Scanlogd has been around since 1998 and was carefully designed forsecurity. No vulnerabilities have been reported during its lifetime.PortSentry offers similar features, as well as a reactive capabilitythat blocks the source IP of suspected scanners. Note that this reactivetechnique can be dangerous, as demonstrated in the section called “Reactive Port Scan Detection”.
Despite being subject to threshold-based attacks discussed inthe section called “Avoiding Intrusion Detection Systems”, these port scan detection tools work pretty well. Yet the type of administrator whocares enough to keep tabs on port scans will also want to know about more seriousattacks such as exploit attempts and installed backdoors. For thisreason, intrusion detection systems that alert on a wide range ofsuspicious behavior are more popular than these special-purposetools.
Many vendors now sell intrusion detection systems, but Nmapusers gravitate to an open-source lightweight IDS named Snort. Itranked as the third most popular security tool among a survey group of3,243 Nmap users (https://sectools.org
). Like Nmap, Snort is improved by a global communityof developers. It supports more than two thousand rules for detectingall sorts of suspicious activity, including port scans.
A properly installed and monitored IDS can be a tremendoussecurity asset, but do not forget the risks discussed in the section called “Subverting Intrusion Detection Systems”.Snort has had multiple remotely exploitable vulnerabilities, and sohave many of its commercial competitors. Additionally, a skilledattacker can defeat most IDS rules, so do not let your guard down.IDSs too often lead to a false sense of security.