Be vigilant to keep the network away from slow scanning attacks

Author: drinking water source: IT168

Currently, there are many security tools on the network that can scan a range of ports and IP addresses. However, an intrusion Monitoring System (IDS) can usually capture this obvious scanning behavior, and then it can block the source IP address to disable this scan, or automatically send an alarm to the security administrator: A wide range of fast scanning for open ports generates multiple log entries!

Figure 1. Scanning behavior is a prelude to hacker attacks

However, most serious attackers generally do not expose their intentions by executing such scans. Instead, they will slow down and use half-connection to try to find your available resources.

Unfortunately, although this slow attack method is time-consuming, it is not difficult to implement. More importantly, it is difficult for us to prevent it. This is why you need to understand the cause of this type of attack activity. The so-called "know yourself and know yourself" means no harm. First, you need to familiarize yourself with the tools used by attackers and understand how easy this slow scan is to be implemented.

Measure the test taker's knowledge about the tools that attackers often use.

There are several free port scanners available for anyone on the network. Let's take a look at the four most popular ones:

1. Port Scan king-Nmap

The Nmap (Network Mapper) security scanner has been upgraded to version 4. This software tool provides a wide range of port scanning technologies, designed to quickly scan large and small networks for network profiling and security checks. This tool with multiple features can determine what hosts are on the network, what services these hosts provide, and what types of packet filters and firewalls are being used. This tool can also remotely identify the operating system of a machine. This tool supports most Unix and Windows platforms, as well as Mac OS X and several handheld devices.

Figure 2. Port Scan King Nmap

This software has two modes: Command Line and graphical user interface. users who are not familiar with command prompt can also use it easily.

In addition, Nmap is a popular hacking tool. Attackers can exploit this vulnerability to scan the port of the target machine or network to detect the vulnerability information. For example, a Windows computer can use hundreds of ports to communicate with other machines. Each port is a potential way for attackers to access your network.

The software was used in the movie "Matrix 2: reinstallation". In addition, the software also appeared in the photos of US President Bush's inspection of the National Security Agency.

2. High-Speed foreign Scanner-Angry IP Scanner

Angry IP Scanner is a relatively small IP scanning software. However, although it is small in size, its function is indeed not small. It can scan the operating status of the remote host IP address in the shortest time, in addition, you can quickly learn the returned results. Angry IP subnet can scan many projects, including the name of the remote host, the currently enabled communication port, and the operating status of the IP address, so that you can fully understand the operating status of the other host. The Angry IP segment allows you to scan for a large range. As long as it takes you a long time, you can also scan from 1.1.1.1 to 255.255.255.255, the AngryIP scheme will Ping each IP address in detail and return the status to you.

 

Figure 3 Angry IP addresses

3. Alternative port scanner-Unicornscan

Unicornscan is a port scanner that tries to connect to the User-land distributed TCP/IP stack to obtain information and associations. It tries to provide researchers with a super interface that can stimulate TCP/IP devices and networks and measure feedback. Its main functions include asynchronous stateless TCP scanning with all TCP variant tags, asynchronous stateless TCP flag capturing, obtaining active/passive remote operating systems, applications, and component information through analysis feedback.. Like Scanrand, it is an alternative scanner.

 

Figure 4 Unicornscan

4. Swiss Army knife in Network Tools-Netcat

Netcat is a small and exquisite tool known as the Swiss army knife in the network security field. I believe many people are familiar with it. It is a simple but practical tool that reads and writes data through a TCP or UDP network connection. It is designed as a stable backdoor tool that can be easily driven by other programs and scripts. It is also a powerful network debugging and testing tool that establishes almost all types of network connections you need.

 

Figure 5. Netcat

Next we will take it as an example to describe how to implement slow scanning.

The above mentioned is only part of the tool that attackers can find on the Internet for free. It is not all the scanners that allow them to bypass the detection of the intrusion detection system for scanning. Now, let's take the Netcat tool as an example to see how attackers can bypass the intrusion detection system for network scanning.

Measure the test taker's understanding about slow scanning.
The following is the syntax of the Netcat command:

Nc [-options] hostname port [s] [ports]

Netcat provides the following command line parameters that people can use to quietly browse a network:

·-I: delay interval (in seconds) for port scanning

·-R: random port discovery

·-V: displays connection details.

·-Z: Send the minimum amount of data to obtain replies from an open port.

The following is an example of using this tool to scan a specific network server:

Nc-v-z-r-I 31 123.321.123.321 20-443

This command tells the scan tool to complete the following tasks:

1. Scan the IP address 123.321.123.321.

2. Scan the TCP ports from 20 to 443.

3. Port Scan randomization.

4. Do not respond to open ports.

5. Scan every 31 seconds.

6. log information to the terminal interface

Although an intrusion detection system can record these scan attempts, do you think it will mark such activities? I don't think so, because they are random half-tries, and there is a large latency between each probe. So how should you defend against this type of scanning?

Defends your network against slow scanning attacks

Unfortunately, you only have two options to defend against this slow scan attack: buy expensive protection tools or use your eyes to view the logs of the intrusion detection system. If your budget does not allow you to purchase new tools, the following tips can be used when you Review logs in detail:

· Identify continuous intrusion scans

· Pay special attention to TCP scanning followed by a UDP Attempt

· If you see repeated scanning attempts over a period of time trying to detect ports on your network, track and verify the source address of the activity, then block it at your outer security boundary.

Summary

The smartest attackers will always access your network under the monitoring of your detection radar. Do not rely too much on automatic prompts to warn you of all the risks of Enterprise Security. Read your logs and draw your own conclusions about the network activity status.

Let those automated systems deal with those script boys. Focus your attention on attempts to intrude your network through slow scanning and block them.