March 29, 2001, 12:00 AM — If you stay connected to the Internet, you will be scanned. It's a fact
of life. If you have a continuous connection, someone with bad
intentions'll scan you regularly, quite often. This week's column is a
basic primer on scanning: what it is, why it's done, and the wonderful
world of "secret handshakes" and stealth scans.
Scanning a system, or a network, is normally done in order to find out
what services are available. But remember, there are two groups who do
it regularly. The good guys -- system administrators and network
security folk -- do it to see what is exposed and thus vulnerable to
attack. The bad guys -- script kiddies and worse -- do it to see what
is exposed and thus vulnerable to attack. Funny, that is.
Scanning is like going up to an apartment building and knocking on each
door to see who is home. Are you running a Web server? A mail server?
BIND? Telnet? FTP? RPC? Those are the questions that scanning answers.
Unfortunately, the answers often reveal enough about your system to
allow an uncouth visitor unauthorized access.
I'm not talking about The Lone Gunmen kind of kung fu hackers. I'm
talking about someone with no greater skills than those possessed by a
high-school (or junior high-school) student who knows how to download
text and programs from the Net. A script kiddie who has found an
exploit that can gain access to any system running the right platform
and application. In addition to one of the thousands of widely
published exploits available on the Net, the attacker may also have
downloaded a port scanner, perhaps something as old as the freely
available version of ISS or as new as Beta 22.1 of NMAP 2.54. If the
attacker can find a match for a known exploit on your system, as
happens all the time to novices and professionals alike, it's all over.
They own you. And scanning is not even illegal. It's "casing the
joint," not robbery.
As people have become increasingly aware of the risks involved in
advertising to the world exactly what services they have running while
connected to the Net, scanners have had to become sneakier. It's no
longer a matter of downloading ISS (one of the earliest port scanners
available), pointing it at potential victims, and letting it try to
connect to every port from one to whatever.
The problem for the bad guys is that your machine usually logs each
connection that a scanner makes. Perhaps the most naive and
unsophisticated script kiddies don't realize that they are leaving
their fingerprints behind when they scan a system, but they should.
There are many ways to avoid being quite so conspicuous. For example,
many attackers run scans remotely from "owned" machines. That way
telltale traces don't lead directly to the culprit, but instead simply
point out another victim.