|
port scan detection
Hi there,
I'm currently working on a PROJECT (so it can be clear) regarding port scan detection. I have written a code which is able to read all packets arriving on the device, and extract necessary information such as source & destination addresses, destination port, protocol used... Having done this, I have no idea how to proceed next regarding the actual the detection of a port scan... I have some questions regarding this: 1) How can I know if a port being scanned is "open" or not (if the port is closed, and someone sends a packet/request to that port, doesn't it imply that it's an attack??) 2) Also, when I receive the packets, and I want to do a real-time/ live detection, should I only read the info in the packets and then determine whether it is an attack and discard after that the packet, OR do I have to store the packets in someway in order to use them later for the detection?? :confused: Can anybody provide with some info regarding this...I really need some help as I do not know how to proceed from this current point?! Thanks |
Re: port scan detection
Well for a port being open, I would say you would somehow check if there is a program/service listening for connection requests. For example if you wanted to get all the active phone numbers in a certain area code you could simply dial them one by one. If someone picks up then you say is an "open" port. This isn't a perfect analogy, because you would get a different signal, but I hope you still get the point.
|
Re: port scan detection
I don't know anything about this, but if I wanted to, I would look at the source for nmap. nmap is a fairly popular port-scanner for (Li, U)nix and you might get some ideas from it.
|
Re: port scan detection
This might help you a bit http://www.cs.wright.edu/~pmateti/Courses/499/Probing/
|
Re: port scan detection
1 Attachment(s)
Thanks for the info guys...I have another question: Do you know how I can modify the attached file to determine/print the values of the flags in the TCP header (I'm talking about the FYN, SYN, RST, ACK....flags) when I receive the packets??
Thanks again for the info! |
Re: port scan detection
I'm supposing you dont want to do a port scanner but you want to detect if you're being target of a port scanner right?
In that case, the next thing i would do is to check if you receive connection requests from the same ip address but to a large number of different ports... This is not perfect because the one who is port scanning you can spoof his ip address making connection requests with different ip numbers... but that's up to you to solve (but i dont think there's a real solution to this) ;) |
| All times are GMT -5. The time now is 9:59 AM. |
Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC