Posted by: NetLib on Monday, May 31, 2010
Originally published at: www.schneier.com
Copyright: 2005 Bruce Schneier

Are Port Scans Precursors to Attack?

December 15, 2005

Interesting research: "Port scans may not be a pre-cursor to hacking efforts, according to conventional wisdom," reports the University of Maryland's engineering school. An analysis of quantitative attack data gathered by the university over a two-month period showed that port scans precede attacks only about five percent of the time, said Michel Cukier, a professor in the Centre for Risk and Reliability. In fact, more than half of all attacks aren't preceded by a scan of any kind, Cukier said."

I agree with Ullrich, who said that the analysis seems too simplistic:

"Johannes Ullrich, chief technology officer at the SANS Institute 's Internet Storm Center, said that while the design and development of the testbed used for the research appears to be valid, the analysis is too simplistic.

Rather than counting the number of packets in a connection, it's far more important to look at the content when classifying a connection as a port scan or an attack", Ullrich said.

Often, attacks such as the SQL Slammer worm, which hit in 2003, can be as small as one data packet, he said. A lot of the automated attacks that take place combine port and vulnerability scans and exploit code, according to Ullrich.

As a result, much of what researchers counted as port scans may have actually been attacks, said Ullrich, whose Bethesda, Md.-based organization provides Internet threat-monitoring services.