Ping sweeps and ports scans are a common ways for hackers to probe a network and attempt to break into it. Although network probes are technically not intrusions themselves, they should not be taken lightly—they may lead to actual intrusions in the future. In the information that follows, I will provide a standard definition of a ping sweep and port scan, the possible uses of the two, and the prevention methods which are in place in our company to combat ping sweeps and port scans of our network by would be attackers.According to Whatis.
com, a ping sweep is a basic networking scanning technique used to determine which range of IP addresses are mapped to active computers. During a ping sweep, Internet Control Message Protocol (ICMP) Echo requests are sent to many computers, which determines which are active and which are not ("What is ping sweep (ICMP sweep)? - Definition from Whatis. com," n. d. ). If a given address is active, it will return an ICMP Echo reply and the attacker will then focus on those machines.
Hackers are not the only ones who perform ping sweeps. I use ping sweeps to find out which machines are active on the network for diagnostics reasons and our ISP (Internet Service Provider) uses automated ping operations to monitor their connection. Disabling the ICMP protocol is one option to prevent ping sweeps; however, doing so may cause problems with our ISP leading them to think that the connection is not functioning because their monitoring software tells them that the connection is down.Another consideration is that some of our software makes use of ping operations for their normal functioning as well, and these may believe that our computers are no longer responding if the ICMP is disabled. The solution to this situation is permitting ICMP only to a given computer or IP range. For example, we contacted our ISP and confirmed the IP addresses of the monitoring machines they are using, and then used the IP addresses to create an allow rule in our firewall for the ICMP protocol, which should solve the problem because our computers will respond to ICMP ECHO commands from our ISP, but not for everyone else.
Port scans are another tool used by hackers to break a network. Attackers use port scanning to discover services they can break into because machines that are connected to a Local Area Network or Internet run many services that listen at well-known ports. The general objective of a port scan is to map out the system's operating system and the applications and services it is running. A hacker can then test for vulnerabilities within the applications and plan an attack ("Port Scanning," n. d.
). Port scanners are software that identify which ports and services are open on an Internet-connected device ("How to protect against port scans," n. d. ).The scanner sends a connection request to the target computer on all 65536 ports, and records which ports respond and how.
The type of response received indicates whether the port is in use. I use this software to verify the security policies of the network, as well as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Our network currently has a network intrusion detection system (NIDS) which inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise the system.The NIDS will document all attempted attacks in a log and will also send an alert to the console regarding the attack. Our NIDS is configured inside of the firewall wall, so it will monitor attacks that penetrate the firewall as well as internal attacks.
I feel confident that the processes that we have in place are more than adequate to protect our network from ping sweeps and port scan attacks.Utilizing both the restrictive ICMP rules set up in our firewall to monitor ping activity and the Network Intrusion Detection System to monitor port scanning activity are recognized in the industry as "Best Practices". I will continue to stay on top of the current advances in this technology and implement all safeguards which are necessary to protect our network and the information which it contains. I will remain diligent and apprise you of any new developments which may affect the security of the network.