PREVENTION OF PORT SCANNING NetAegis

Vinoth.L V.Eashwar Science & Eng. Department of Computer

4/10/12

Port Scanning: What is it?

Definition: A technique for discovering hosts weaknesses by sending port probes Its role in hacking: prerequisite for hacking, to learn about the victim host/network
4/10/12

Types of Port Scanning

Vertical scanning: Attackers scan some or all ports on a single host intending to characterize the services running on it. Horizontal scanning Attackers scan the ports on multiple IP addresses in some range of interest to find 4/10/12 which host is active and probe the topology of

Scanning Methodologies

TCP connect port scan TCP half open scan TCP Fin scan TCP ACK scan TCP reverse-indent scans , etc..

4/10/12

Current trends

Anomaly Based detection

Detecting zero day attack

Signature Based detection

Detecting based on the previous occurrence

4/10/12

How it all started

4/10/12

INTERNET

send er Application layer

IP address port id service IP address Port No IP Port Type (destination) address No of Transport Acknowledgem aegis layer ent service destination Type Network layer 1 192.168.3.1 80 http Interface layer 192.168.2. 4099 192.168.3. 80 http Click to edit Master subtitle style receiv 1 1 er Datalink layer aegis Physical layer Type 2 ACL-Access control list 4/10/12 Aegis Server Aegis Client ACL Senders Service firewall List Aegis Server Aegis Client ACL Receivers List Service firewall

INTERNET

Application layer Transport layer Network layer Interface layer Data link layer Sender Aegis Server original Physical layer Aegis Client packet ACL ACL-Access Service List control list 4/10/12 Senders firewall

Aegis Server ACL

Sender original packet

Aegis Client Service List Receivers firewall

INTERNET

send er Application layer Transport layer Network layer Interface layer Data link layer aegis Physical layer Type 2 ACL-Access control list 4/10/12 Aegis Server Aegis Client ACL Service List Senders Aegis Server Aegis Client ACL Service List Receivers IP address aegis (destnation) Type 1 192.168.3.1 port id Neg service ACK

80

http

receiv er

Network layer

IP packets Input module type of mode

destination Port No

service Queu e1 Queu e2

192.168.2. 4099 192.168.3. Resolved 1 Cache table 1

Output module Pos ACK

Data link layer 4/10/12

Aegis type 2

Users packet

Overview of the mechanism:

Step 1: Generation of Aegis Packet type 2 Step 2: Generation of Aegis Packet type 1 Step 3: Receiver side Authentication

Step 4: on positive ACK, forward the packet in queue on negative ACK ,drop the packets. Step5: Receiver side ,check with Access Control List(ACL) and 4/10/12 then forward to destination

conclusion

* a threshold value is set , which indicates the number of possible port probes in the time constrain. * Minimizing the port probes, max probability of mismatch * vulnerability of the Network to the attack decreases drastically. * the attacks are time constrained, the port scanning process is delayed. 4/10/12