Scanlogd: Port Detection Made Easy

scanlogdScanlogd is an open source program that detects and logs TCP-port scanning on your system. A port scan involves an attacker trying many destination ports, usually including some that turn out not to be listening. One signature that could be used for detecting port scans is “several packets to different destination ports from the same source address within a short period of time”. Another signature could be “SYN to a non-listening port”.

Scanlogd: Detecting Port Scans

Different methods of detecting hacking activity have there own advantages and disadvantages, resulting in false positives and false negatives. For example, an attacker could do a scan very slowly. Unless the target system is normally idle, it is possible to make the delay between ports large enough for the scan to be likely not recognized as a scan. In addition, the attacker can send a large amount of spoofed port scans, and only one scan from the real source address. Even if all the scans are detected and logged, there’s no way to tell which one of the source addresses is real. All we can tell is that we have been port scanned.

The goal of scanlogd is not to detect all port scans but instead to detect as many port scans as possible while still being reliable enough. Scanlogd writes one line per scan using the syslog(3) mechanism. It also logs when a source address sends many packets to several different ports in a short amount of time. Because scanlogd is only meant to detect scans, it is totally safe to run on your system. It must have access to raw IP packets to function, and can capture packets coming in and out of the system interface, or across the network to which the system is attached. In addition, scanlogd supports the raw socket interface on libnids, libpcap, and Linux.

What information do port scanners give us? We cannot trust the source address; however, other information is often available. For example, if the TTL is 255, we know the packets are coming from the local network regardless of what the source address field says. However, if the TTL is 250, we only know the attacker was no more than 5 hops away, but we don’t know exactly how far away they are. Starting TTL and source port numbers can also give us a hint as to what the port scanner type or operating system is used by the attacker. For example, nmap sets TTL to 255 and source port to 49724, while the Linux kernel sets TTL to 64.

Once an attack is recognized, the next issue is what to do about it. A typical action is to block the attacking host, by re-configuring access lists of the firewall or something similar. This, however, leads to an obvious Denial of Service (DoS) issue if the attack we are detecting is spoofable. There are also implementation issues with this approach: firewall access lists and routing tables are all of a limited size. Even before the limit is reached, there are CPU usage issues. If the firewall goes down as a result of such issues, this could lead to a DoS of the entire network.

Another common action is to connect back to the attacking host for extra information. For spoofable attacks, we might end up being used in attacking a third party, so this is not good. But for non-spoofable attacks, this might be worth implementing, with a lot of precautions. For example, we should be careful not to consume too many resources, including bandwidth and memory.

Because of the many issues involved with how to respond to a port scan, scanlogd does not do anything but log port scans, leaving the question of what to do to the administrator. What you do is a matter of your own discretion, but at the very least you should probably check system activity around the time of a port scan.

External Links:

The scanlogd home page

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy