Security

Defend your network from slow scanning

Most serious attackers aren't going to advertise their intentions by performing a broad scan -- the smartest attackers will try to come in under your detection radar. Learn why attackers prefer slow scanning, learn about the tools they use, and find out how to defend against this low-and-slow approach.

There are a lot of security tools out there that will scan a wide range of ports and IP addresses. An intrusion detection system (IDS) will generally catch this type of broad scanning. It will then shut it down by blocking the source IP address or alerting someone to the multiple log entries created by a broad, quick scan for open ports.

However, most serious attackers aren't going to advertise their intentions by performing this type of scan. Instead, they'll go low and slow using half-connection attempts to map out your available resources.

Unfortunately, while the low-and-slow approach is time-consuming, it's not that difficult -- and it's tough to defend against. That's why you need to understand this type of activity by familiarizing yourself with the tools attackers use and learning how easy slow scanning is.

Learn the tools of the trade

There are several free port scanners available on the Web. Let's look at four of the most popular:

  • Nmap: This utility for network exploration or security auditing uses raw IP packets in novel ways to determine which hosts are available on the network, which services (e.g., application names and versions) those hosts are offering, which operating systems (and which OS versions) they're running, what type of packet filters or firewalls are in use, and dozens of other characteristics.
  • Angry IP Scanner: This utility can scan IP addresses in any range as well as any ports. It pings each IP address to check if it's alive; it can then resolve the hostname, determine the MAC address, and scan for open ports.
  • Unicornscan: Built specifically for UNIX-based systems, this network scanner developed from the need to accurately gather data from UDP scans to indicate whether a port is actually open or sitting behind a firewall.
  • Netcat: Sometimes called the network Swiss army knife, this is a network debugging and exploration tool. It can create almost any kind of connection you would need, including port binding to accept incoming connections. There are six variations of this tool.

This list is just a sample of what attackers can find freely available on the Web. (Not all scanners allow users to throttle the scanning to avoid IDS detection.) Now, let's look at how an attacker could use the Netcat tool to evade IDS flags for scanning the network.

Understand low-and-slow scanning

Here's the syntax for Netcat:

nc [-options] hostname port[s] [ports]

Netcat offers the following command-line switches that someone can use to quietly explore a network:

  • -i (seconds delay interval for ports scanned)
  • -r (randomize port discovery)
  • -v (display details on the connections)
  • -z (send a minimum amount of data to obtain an answer from an open port)

Here's an example of using this tool to scan a specified Web server:

nc -v -z -r -i 31 123.321.123.321 20-443

This tells the tool to perform the following:

  1. Scan the IP address 123.321.123.321.
  2. Scan TCP ports 20 through 443.
  3. Randomize the port scanning.
  4. Do not respond back to open ports.
  5. Delay each attempt by 31 seconds.
  6. Log the information to the console.

Although an IDS would log these attempts, do you think it would flag this type of activity? Probably not -- they're random, half attempts, and there's a significant delay between each probe. So how do you defend against this type of scanning?

Defend your network

Unfortunately, you only have two options for defending against low-and-slow attacks: Purchase expensive correlation tools, or eyeball the logs. If your budget won't allow for new tools, here are some tips for scrutinizing the logs:

  • Look for scans that are persistent, yet noninvasive.
  • Pay particular attention to TCP scans followed by UDP attempts.
  • If you see repeated attempts over a period of time to map out ports on your network, trace and verify the activity to its origin, and block it at your outer security boundary.

Final thoughts

The smartest attackers will always try to come in under your detection radar. Don't rely on automatic notifications to alert you to all the dangers to your organization's security. Read your logs, and draw your own conclusions as to what's going on with your network.

Let the automated systems find the script kiddies. Direct your focus on looking for that low-and-slow attempt to break into your network -- and stop them dead in their tracks.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

17 comments
ejhonda
ejhonda

A good amount of detail and explanation for the scanning portion, but then the "Defend your network" section consists of 2 sentences and 3 bullet points? I use this analogy over and over, but this reminds me of the Monty Python skit where the announcer tells the audience they are going to be taught how to play the flute: "you blow in one end and run your fingers up and down the other end." And there ends the lesson. Simple, huh? This is the same tact this article takes with its actions section. This is the section that requires the MOST detail and explanation. My guess is that if someone is smart enough to understand how to implement the bullet points provided, then they already have been aware of this issue and are defending against it. The people that aren't aware of this issue, and are looking for real knowledge on how to defend their networks, are left with such generalized content as to be nearly useless. This isn't meant to pick on Chad, as this isn't the only article like this on Tech Republic - there are hundreds of other articles suffering from the same lack of useful content. It's a shame, because the idea behind this site is excellent, but it suffers greatly in the execution. I understand it's difficult and requires more effort, but why not put up articles that have some substance?

tonoohay
tonoohay

Some time the world has quirks to deal with. I found some random Port probing coming threw an ISP T1 link used for our "Global" coders to share and have access into the Development testing lab. Maybe three times a week with a specific IP address and HTTP/HTML layer only. Did the notice to the NW-Sec types and expected the ISP to be asked about it. Nothing back. No one even wanted the Logs or Sniffer captures? The frequency escalated and the episodes got more length and intensity? Right after my follow up email to NW-Sec? Long story short the NW-Sec had an insider working our European location who had an assignment to simulate an attack and analyze results. He had been "let-go" more than a year before and seemed to want to continue the effort. I think the NW-Sec just wants to let the guy provide a free service and test their "honey pots" as needed.

ServiceTech
ServiceTech

I've used AngryIP many times to gather information for the place that I work. It is now being detected and deleted by Symantec! Rather than give up my tools, I've changed AV vendors.

Michael Kassner
Michael Kassner

Thank you for the excellent post. I also would appreciate any clarification as to why TCP scans followed by UDP attempts have special significance?

sordito
sordito

I've been using pivot tables in Excel to analyze this. It is a manual process, but does let you correlate things in a hury.

eliwap
eliwap

Use PSAD for IPTables. You'll freak over how many nmap and icmp probes your gateway gets and from where. Lower the threshold and increase the time it takes for PSAD to unblock the scanning IP address. After all a lot of them come from dial up connections.

ejhonda
ejhonda

Quick correction: I mistakenly attributed the skimpy 'how-to' section to Chad, when it's credited to Mike Mullins. Thanks to all for adding some useful dialog here.

dippleydokus
dippleydokus

I agree, but media hype ia about making people anxious, not about making people happy! To find out for real how to go about these things, check out wireshark.org and also look out for packet-level.com Get Laura's Lab Kit CD from packet-level for $10 or so and go on from there. Best $10 I ever spent! (This is not a paid endorsement!)

paul.berra
paul.berra

AS a Junior Systems Admin I am constantly looking to expand my knowledge. Normally I am enticed by a promising headline only to be let down by the true content.

drpruner
drpruner

Easier than finding his avatar and breaking its digital kneecaps. :-) drp

ray.labrecque
ray.labrecque

My Symantec AV also started detecting Angry IP, you can set up Exceptions to eliminate this. Pain in the buttocks but better than dropping a tried and true AV scanner... Ray L.

Mond0
Mond0

Changing AV vendors is not going to help once you're outside your network. I've carried my tools on CD for several years, but they can't be updated. You have to burn a whole new disc, instead. Recently, though, I started carrying a USB card reader for SD. This little thing is only slightly wider than a regular flash drive and the SD cards can be unlocked for updating, then locked to prevent changes. Also, I'm looking at the new mini-sd and waiting for the prices to come down to where their big brothers are.

mdhealy
mdhealy

Excel is actually a reasonably powerful data-mining tool; autofilter for instance. Also, it's pretty good at parsing text files -- and when Excel cannot parse a text file I find Perl certainly can! Often I use a Perl one-liner to convert a data file into something Excel can analyze.

Oktet
Oktet

Oh, I am so sorry, I forgot to thank you for LLKv8, I already had Wireshark among many other tools, but LLKv8 is enlightening so to speak. It took a couple of hours (-4 hours) to download on a T1 connection, the file is about 3.2 Gigs. and I just finished burning the ISO. So far, so good, again thank you. Now for some fun with my lappy (laptop/testbed).

Oktet
Oktet

Ten bucks for a CD, I guess it beats waiting for hours for the free download. How is it working out for you anyhow? I actually will be going to the website to do some reading in few minutes.