Re: Port/Host Scanning Techniques

["James Fields" <jvfields () tds net>]

Well, let's define those first.  I understand "port scanning" to mean
querying multiple ports on a single target host, and "host scanning" to mean
querying multiple hosts on the same port (or pinging them, or whatever).

Most IDS products catch these by watching every single connection attempt
that goes by, and starting up a sort of state table.  There will be a time
limit within which the IDS will look for multiple attempts from the same
source IP address targeting a server on a bunch of port numbers, or a group
of servers on a single port.  The length of time over which an IDS sensor
has to watch and wait for a pattern to emerge is usually tunable, and can
greatly affect the performance due to the large amounts of memory and
processing power required to monitor so many connections.

----- Original Message -----
From: "Tarek Amr Abdullah" <tabdullah () salec com eg>
To: <focus-ids () securityfocus com>
Sent: Wednesday, February 25, 2004 2:37 AM
Subject: Port/Host Scanning Techniques


> Hi there
>
> Does anyone know the current techniques used in IDSs in order to detect
> Host Scanning and Port Scanning? I think it is something related to
> traffic / protocol anomaly. But does anyone know more details about the
> implementation.
>
> Thanks in advance
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
-
>


---------------------------------------------------------------------------
---------------------------------------------------------------------------