Case Study 1

Case Study 1 Ping Sweeps and Port Scans

Principles of Information Systems Security 3/3/12

Case Study 1

Ping Sweeps and Port Scans

Ping Sweeps and port scans are something that every network at will most likely have happen to it at some point. While these two things in and of themselves are not intrusive to your network, they can uncover holes or vulnerabilities in your network that can be exploited and used for malicious behavior. In this report I will make my assesment of whether or not these types of network occurrences should be something we should take note of and in fact be worried about. It is safe to say that any large network at some point has been probed by something like a port scan or an ping sweep. These types of probes should not be taken lightly. They can be used to uncover certain vulnerabilities in your network and be used as ways to gain access. Port scans are probably the most common type of network probe. A port scan is a way for an intruder to scan what services are running on any target machine. An intruder can then use this information and plan an attack on any service that could be vulnerable. A port scan is not very hard to perform and any can be written very easily by any good programmer using a language such as java or perl. All a port scan does is connect to a series of ports on a machine and sees what ports are respond and what ports dont. This will tell anyone that is trying to gain access to your network if there are any ports that are open that will allow them access and in turn give them control to your network. 2

Case Study 1

There is another sneakier more, stealthier kind of port scan that is called the half-open SYN scan. This type of scan will connect to the port but shut down the connection just before the full connection is made. This is where it gets its name half-open. This type of scan is harder to detect because the operating system usually will not catch this type of behavior because the connection to the port is never fully made. The most powerful and probably the most popular type of network probing tool around today is called Nmap or Network Mapper. Nmap is able to perform both types of port scans along with other types of probes. Ping sweeps are another form of network probe that most all large networks will be subject to. Ping sweeps are basically sending a set of pings to a set of network machines usually specified in a range of IP addresses. Really the only use of this type of probe is to see what machines are alive and which machines are not. In order to be able to efficiently scan hundreds or even thousands of remote addresses, an attacker will most likely use a multithreaded ping sweep tool, which allows an attacker to customize anything from a timeout setting to the ability to utilize multiple ping operations to be initialized and have running at the same time. This will maximize the number of remote addresses that can be scanned. While these types of probes on your network can pose certain threats if not dealt with effectively there are tools available to help identify these types of activities and also help identify them and hopefully deal with them. In the case of ping sweeps one of the simplest ways can be to disable the ICMP protocol. In conclusion port scans and ip sweeps are something that is going to happen on any large network. These types of probes can pose a threat and I feel they should not be taken lightly. There is little you can actually do to prevent them from happening however there are many steps that can be taken to ensure that any types of threats that can happen because of these types of probes are dealt with.

Case Study 1

It is my recommendation that we take every possible security step to ensure that our network is as protected as we most possibly can.

Case Study 1 References

Lawrence Teo (2000) Network Probes Explained: Understanding Port Scans and Ping Sweeps. Linux Journal. PCWorld (2002) Fighting back against port scans.