Port scanners

A port scanner is a piece of software used to detect if particular ports of a host (e.g. an MFP) are enabled (“open”) or disabled (“closed”). System or network administrators use port scanners to check the security of a network. But port scanners can also be used by unauthorized persons to find open ports which can be used to access a system and its data. For example, port scanners make use of handshake messages as they are defined by network protocols such as TCP or UDP. If the port scanner sends a particular message to the host on which it searches for open ports, the host sends a particular reply as it is defined by the protocol. Even if no reply is sent, the port scanner may draw a conclusion from that:

The host sends a reply corresponding to the message sent by the port scanner. This kind of reply indicates that the port is open and a service is running on the host and can be accessed.

The host sends an error message or a corresponding reply that indicates a closed

The host sends no reply at all. Usually, this indicates that the port is somehow blocked or filtered. Open ports present the highest risks as they offer potential attackers the opportunity to attack the services and applications associated with open ports as well as the operating system of the host. There are different types of port scans associated with particular protocols and particular messages which are part of a protocol. For example, the TCP SYN scan method makes use of the SYN message. Normally, this message is sent as part of the initial handshake, if another host wants to establish a connection. The TCP SYN scan method consists of the following steps:

1. The port scanner sends a SYN message to a port of the host.

2. If the port is closed, the host sends an RST message.

If the port is open, the host sends a SYN/ACK message. If the port is filtered, the host sends no reply at all.

3. When the port scanner receives the SYN/ACK message, it replies by sending an RST message. This message breaks off the handshake.

From the attacker’s point of view, the advantage of this method is that actually no connection is established as the port scan is carried out on the handshake level. Accordingly, there will be no entry in the log of the corresponding service. Though, many firewalls are able to detect this kind of s port scan.