Port numbers 0 through 1023 are well-known ports that systems administrators usually use for only system processes or for programs that privileged users are running. If attackers exploit a well-known port, they can potentially gain control of a server.
In an effort to compromise a network, attackers use several generic schemes to scan ports. The following examples focus on TCP
and UDP scanning:
TCP connect() scanning is the most basic form of TCP scanning. An attacker's host issues a connect() system call to every interesting port on the target machine. If the port is listening, connect() will succeed; otherwise, the port is unreachable and the service is unavailable. This attack scheme is fast and doesn't require any special privileges; however, port
scanner can easily detect and block this attack at the target system.
UDP Internet Control Message Protocol (ICMP) port unreachable scanning is one of the few UDP scans. UDP is a connectionless protocol, so it's harder to scan than TCP because UDP ports aren't required to respond to probes. Most implementations generate an ICMP
port unreachable error when a user (or intruder) sends a packet to a closed UDP port. Thus, a lack of a response indicates an active port.
Unfortunately, UDP port scanning is not as reliable as TCP port scanning. If you have a firewall between you and the internet that blocks UDP traffic by simply dropping the packet, and sends no response, our port scan will detect this as an indication of an open port.
See also
Default
ports used by some well known Trojan programs.
|
