User Tools

Site Tools



In port scanning adversaries collect information on the network services on a target network and attempts to find open ports on the target system. Typically used are Vanilla scan/SYNC scan, strobe scan, sweep, passive scan, User Datagram Protocol (UDP) scan, FTP bounce and FIN scan.


  • A “connect scan-type” is the easiest to detect and prevent. In the connect scan-type of port scan, a client initiates and establishes a full connection with a server for each service. In a full connection the network address for the client is provided to the server, and the server knows the identity of the client performing the scan.
  • In a “half open” or “stealth” scan, a port scanning client initiates but does not complete the establishment of a connection for each of the services. An adversary can transmit a large number of messages initiating establishment of a connection where each of these messages possess a different network address. The server will respond to each of these TCP request messages, but only one of these reaches the adversary. The server has no information to distinguish the actual request from the adversary from all of the other bogus service requests. The server knows a stealth port scan is happening but can not identify the client, or her IP address, and it can not reject the stealth port scan without rejecting service requests from legitimate clients. Network forensic systems and machine learning could be helpful for detecting “half open” port scanning attacks.

en/threats/fruit/scanning.txt · Last modified: 2019/10/30 12:17 by Digital Dot