IT SECURITY - Ping Sweeps and Port Scans

The ping sweep and port scan review

As a business, ping sweeps and port scans can be a huge security threat if they go unnoticed.  Ping sweeps are usually performed to find end-points on a network; then a port scan is performed to find an “open-door” into that particular end-point or end-points.  After that a person can find all kinds of utilities on the internet to exploit these “open-doors” on systems and gain access to important and confidential files on the network.  It is imperative that we not only protect against these types of activities on our network, but that we also conduct them ourselves.

            Ping sweeps are exactly what they sound like.  They are a regular ping that almost anyone in the IT field uses as a basic troubleshooting step; however, they are conducted across an entire range of addresses.  Where a normal administrator would only ping one or two intended destinations, a malicious user may conduct a ping sweep to find every endpoint on a network that they are allowed a connection to (Conklin, White, Cothren, Williams, & Davis, 2004).  Most utilities that perform this operation can also perform a DNS lookup on all of the IP addresses as well to produce the end points names.   Once a malicious user has this information, they can review it to find a machine that may seem important, or they may just skip right to a direct attack on a random machine.  Either way the attacker will now have a basic knowledge of what they can start forming an attack against.

            Imagine that you are a burglar that wants to rob a house in a neighborhood.  You don’t just want to drive to an address and hope it exists.  You would want to first drive through the neighborhood and possibly go door to door pretending to sell something, so that you can figure out which houses are occupied and which ones are vacant.  This may also give you hints as to which houses are worth robbing and which ones won’t be worth your time and effort, just by what you can see from the outside.  This is basically what a ping sweep is.  It passes through every address on the network, figuring out who is home and who isn’t.  Then it may also provide some more helpful information, with a little extra effort, to identify which addresses are worth the time of a malicious attack, and which ones aren’t.

            A port scan is a more directed attack that tries to find an opening on a specific end-point for an attacker.  This is when an attacker may have already conducted a ping sweep, and finds an address that they want to attempt to attack.  They will then usually conduct a port scan on that address, to identify any ports on an end point that may be open.  By determining the ports that are open, the attacker will then have an idea of what type of services are running on that end-point (Conklin, White, Cothren, Williams, & Davis, 2004).  This then allows the attacker to identify specific areas that they can focus their efforts on further to try and exploit a vulnerability.  For instance if someone were to leave the File Transfer Protocol (FTP) port 21 open on their machine, with a generic username and password, someone may be able to copy all of the files off of that machine; essentially stealing corporate or personal information.  Or they may be able to copy malicious files to the machine that look like safe files to any regular user.  However, when they are run by the unsuspecting end-user, they turn out to be some type of mal-ware that can severely compromise the integrity of the machine on a network.

            Imagine that you are that burglar again.  Now that you have identified a house to rob, you are going to want to try and find a way in.  So naturally you are going to walk around the house and see if there are any possible entrances that may have been left open.  You may check the doors, windows, possible access points into the basement, or maybe even an opening on the roof somewhere.  This is what a port scan does; now that a malicious user has a target, they scan it for any type of possible entrance.  Then once they are able to identify an entrance, they attempt to go in and conduct their attack further.  Some may want to steal everything you have right then and there.  While others may be sneakier; they may setup a monitoring or remote logging sessions so that they can find out where all of your “real” secrets are and how to access them.

            While both of these attacks have the ability to be a serious issue, with the proper implementation of information security policies and procedures and certain security devices and software, our risk of an attacker actually being successful is extremely limited.  By just implementing a properly configured network, firewall, and host based Intrusion Prevention System (IPS) our threat is extremely minimized (McKeag, 04).  However as with any many types of things, constant monitoring and due diligence is always a must for the continued success of a person or business.

Bibliography

Conklin, A., White, G. B., Cothren, C., Williams, D., & Davis, R. L. (2004). Principles of Computer Security. Burr Ridge, Illinois: McGraw-Hill Companies Inc.

McKeag, L. (04, April 14). Defending yourself against port scanners. Retrieved March 2, 2011, from Techworld: http://features.techworld.com/security/490/defending-yourself-against-port-scanners/