CSE 7349 Project Port Scan Detector PSD

1
CSE 7349 - ProjectPort Scan Detector (PSD)
2
Introduction

• Port Scanning is a method for discovering
  exploitable communication channels in a network.
• The idea is to probe as many listeners as
  possible, and keep track of the ones that are
  receptive or useful to your particular need.
• A hacker program uses port scanner logic and
  scans through all well-know ports (may be all
  65535 ports) to find an open port with no
  security service deployed.

3

• Port Scan detector is a program to check if there
  is any ongoing port scans.
• This can be done in real time or by analyzing a
  log file like tcpdump file.

4
Methods for detecting port scans

• Several packets to different destination ports
  from the same source address within a short
  period of time.
• SYN to a non-listening port.
• There are many other ways to detect port scans,
  up to dumping all the packet headers to a file
  and analyzing them manually.

5
Scanning Techniques

• FTP bounce attack
• TCP connect ()
• TCP SYN scanning
• TCP FIN scanning
• Reverse ident scanning
• UDP ICMP port unreachable scanning
• ICMP echo scanning
• UDP recvfrom() and write() scanning

6
Libpcap

• System-independent interface for user-level
  packet capture.
• Provides a portable framework for low-level
  network monitoring.
• Applications include network statistics
  collection, security monitoring, network
  debugging, etc.
• Available at http//www.tcpdump.org.