Port scanning: Difference between revisions

	Main Article	Discussion	Related Articles  [?]	Bibliography  [?]	External Links  [?]	Citable Version  [?]
	This editable Main Article is under development and subject to a disclaimer. [edit intro]

Port scanning involves multiple computer network activities involving sending a stimulus to the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) identifiers of specific services on specific computers. It may be a perfectly legitimat operational function, or it may be part of preparation for attacks on the network or it hosts.

If an address sweep is analogous to checking if a building exists at a given street address, a port scan is closer to testing the doors to see if they are locked, or at least to see if specific apartments or rooms exist. It is good when a security guard verifies that doors are properly locked, but when

There is no single mechanism for port scanning, as different TCP and UDP services respond to different kinds of protocol messages. In the case of TCP-based services, telnet is one way to script scans, but it is more common to see specific scan methods for specific application services that run over TCP.

Port scanning, in and of itself, is rarely considered a network attack, as it generates little traffic. It can find vulnerabilities against which specific attacks can be launched.

Simple Mail Transfer Protocol

One scan, which can be done for reasons good or ill, is trying to access the Simple Mail Transfer Protocol (SMTP) on TCP port 25. A very large amount of spam comes from broadband-connected personal computers attacked by botnets that insert SMTP servers on the machines, and use the differently-addressed to send a few spam emails each.

Internet-wide spam defense considers it inappropriate for end user computers to contain SMTP servers. This does not mean that such computers cannot have, and usually should have, SMTP clients that send to an authorized SMTP server inside their network. Network operators, and anti-spam groups, often scan end user address space looking for SMTP servers. Finding such servers strongly suggests that the machine has been compromised; SMTP traffic coming from end user address space can get an ISP blacklisted as a potential spam source.

Hypertext Transfer Protocol

It is quite common to have scans for the Hypertext Transfer Protocol (HTTP), the basic World Wide Web server protocol on TCP port 80. Web indexing services need to find servers, although promiscuous searching for port 80 is not the best way of doing so.

Internet Service Providers with a small and home office market often have an acceptable use policy that forbids HTTP servers on end user machines. They may well offer individual web server hosting, but on computers they operate and onto which their users can install websites. There are a variety of reasons they do this, the most basic being that putting any Internet server on a dynamically assigned address, common in the small and home office (SOHO) market, is essentially futile; the outside world cannot find that address and even customers of the same ISP cannot assume the address will remain constant.

From an operational and commercial standpoint, ISPs may engineer their end user access networks on the assumption that the computers on them will generate amounts of traffic characteristic of clients. A Web server, which becomes popular, can cause the end user network to become overwhelmed with traffic to it, denying service to other users of the same access network.

Searching for HTTP clients, on random high-numbered ports, is likely to be the act of an attacker trying to hijack or disrupt HTTP sessions.