Port scanning, the practice of sniffing for computers with unprotected and open ports, isn't much of a harbinger of an attack, a University of Maryland researcher said Monday.
Michel Cukier, an assistant professor at the College Park, Maryland-based school, said that contrary to common thought, few port scans actually result in an attack. In fact, only about five percent of attacks are preceded by port scans alone.
"But when you combine port scans with other kinds of scans, particularly vulnerability scans, there's a much higher probability of an attack," said Cukier.
Nearly three-quarters of the attacks prefaced by some kind of scan came after both a port and a vulnerability scan were run against the exposed PCs, noted Cukier's report.
"The identification of port scans and vulnerability scans launched from a single source IP address is a good indicator that an attack will follow from the same IP address," said the report.
To quantify the relationship between scans and attacks, Cukier and several graduate students created a small subnet on the University's network. Using a honeypot-style setup that deliberately exposed a pair of Windows 2000 PCs to attack, Cukier and his students left the machines unpatched against 25 Microsoft vulnerabilities disclosed from 2000 through 2004. They then tracked the number of port and vulnerability scans -- the latter searches for systems running vulnerable services --as well as counted the number of attacks that followed.
The data took Cukier by surprise. Not only had he expected to see a higher correlation between port scanning and attacks, but the analysis also showed that it was relatively easy to spot the difference between a port scan and a more dangerous vulnerability scan simply by counting up the number of data packets received by the PC.
"What surprised me was how we could identify a port scan from a vulnerability scan," said Cukier.
Nearly all of the latter--99.9 percent--were composed of between 6 and 12 packets; simple port scans, meanwhile, were almost always five or fewer data packets.
The packet number differential could be used by security software, said Cukier, to separate the relatively benign port scanning--often done by unsophisticated "script kiddies"--from the more lethal vulnerability scans.
Unfortunately, not all attacks can be predicted by preceding scans. Half of all the attacks on Cukier's PCs weren't prefaced by any type of scan, but were just launched blindly by hackers. (In comparison, 39 percent of all the attacks came only after both port and vulnerability scans.)
"We wanted to see if there was a link between port scans and attacks," concluded Cukier.
Seems that there isn't.