Defend your network from slow scanning

Most serious attackers aren't going to advertise their intentions by performing a broad scan—the smartest attackers will try to come in under your detection radar. In this edition of Security Solutions, Mike Mullins discusses why attackers prefer slow scanning, examines the tools they use, and tells you how to defend against this low-and-slow approach.

There are a lot of security tools out there that will scan a wide range of ports and IP addresses. An intrusion detection system (IDS) will generally catch this type of broad scanning. It will then shut it down by blocking the source IP address or alerting someone to the multiple log entries created by a broad, quick scan for open ports.

However, most serious attackers aren't going to advertise their intentions by performing this type of scan. Instead, they'll go low and slow using half-connection attempts to map out your available resources.

Unfortunately, while the low-and-slow approach is time-consuming, it's not that difficult—and it's tough to defend against. That's why you need to understand this type of activity by familiarizing yourself with the tools attackers use and learning how easy slow scanning is.

Learn the tools of the trade

There are several free port scanners available on the Web. Let's look at four of the most popular:

• Nmap: This utility for network exploration or security auditing uses raw IP packets in novel ways to determine which hosts are available on the network, which services (e.g., application names and versions) those hosts are offering, which operating systems (and which OS versions) they're running, what type of packet filters or firewalls are in use, and dozens of other characteristics.
• Angry IP Scanner: This utility can scan IP addresses in any range as well as any ports. It pings each IP address to check if it's alive; it can then resolve the hostname, determine the MAC address, and scan for open ports.
• Unicornscan: Built specifically for UNIX-based systems, this network scanner developed from the need to accurately gather data from UDP scans to indicate whether a port is actually open or sitting behind a firewall.
• Netcat: Sometimes called the network Swiss army knife, this is a network debugging and exploration tool. It can create almost any kind of connection you would need, including port binding to accept incoming connections. There are six variations of this tool.

This list is just a sample of what attackers can find freely available on the Web. (Not all scanners allow users to throttle the scanning to avoid IDS detection.) Now, let's look at how an attacker could use the Netcat tool to evade IDS flags for scanning the network.

Understand low-and-slow scanning

Here's the syntax for Netcat:

nc [-options] hostname port[s] [ports]

Netcat offers the following command-line switches that someone can use to quietly explore a network:

• -i (seconds delay interval for ports scanned)
• -r (randomize port discovery)
• -v (display details on the connections)
• -z (send a minimum amount of data to obtain an answer from an open port)

Here's an example of using this tool to scan a specified Web server:

nc -v -z -r -i 31 123.321.123.321 20-443

This tells the tool to perform the following:

1. Scan the IP address 123.321.123.321.
2. Scan TCP ports 20 through 443.
3. Randomize the port scanning.
4. Do not respond back to open ports.
5. Delay each attempt by 31 seconds.
6. Log the information to the console.

Although an IDS would log these attempts, do you think it would flag this type of activity? Probably not—they're random, half attempts, and there's a significant delay between each probe. So how do you defend against this type of scanning?

Defend your network

Unfortunately, you only have two options for defending against low-and-slow attacks: Purchase expensive correlation tools, or eyeball the logs. If your budget won't allow for new tools, here are some tips for scrutinizing the logs:

• Look for scans that are persistent, yet noninvasive.
• Pay particular attention to TCP scans followed by UDP attempts.
• If you see repeated attempts over a period of time to map out ports on your network, trace and verify the activity to its origin, and block it at your outer security boundary.

Final thoughts

The smartest attackers will always try to come in under your detection radar. Don't rely on automatic notifications to alert you to all the dangers to your organization's security. Read your logs, and draw your own conclusions as to what's going on with your network.

Let the automated systems find the script kiddies. Direct your focus on looking for that low-and-slow attempt to break into your network—and stop them dead in their tracks.