Principle and detection of network scanning in Ethernet

Principle and detection of network scanning in Ethernet

The network scanning principle and existing basic methods are analyzed, and a trap machine is designed to detect the network scanning behavior in the network segment.

Keywords: network scanning network scanning detection trap machine

By scanning the local host, network scanning can detect the currently available services and open ports of the host, help network administrators find security vulnerabilities, and kill Trojan horses, worms and other viruses that endanger system security. Some scanners also encapsulate simple password detection, using a custom-defined password generator to detect too simple and insecure passwords.

Network scanning generally includes two stages: (1) Scan the entire network once to find the active host (because many subnets are configured sparsely, most IP addresses are empty). (2) Perform an exhaustive port scan for each active host.

Network scanning is also the basis of network intrusion. A successful network intrusion requires a thorough network scan. The attacker uses network scanning to detect various information of the target host, and chooses the attack method according to the scanning result to achieve the goal. Therefore, if you can monitor and identify network scans in time, you can prevent network attacks. In order to obtain the information of the scanned host, the source address corresponding to the network scan message is often the real address, so monitoring the network scan can locate the attacker.

1 Network scanning principle

Network scanning records the responses given by the target by detecting the services on different ports of the target host's TCP / IP. Through this method, you can collect various information of many target hosts (such as whether you can use anonymous login, whether there is a writable FTP directory, whether you can use Telnet, etc.). After obtaining the relevant information of the target host's TCP / IP port and its corresponding network access service, it is matched with the vulnerability library provided by the network vulnerability scanning system. If the matching conditions are met, the vulnerability is deemed to exist.

On the matching principle, network vulnerability scanners generally use rule-based matching technology. According to the analysis of network system security vulnerabilities and hacker attack cases by security experts and the actual experience of system administrators on network system security configuration, a standard set of system vulnerability libraries is formed, and then the corresponding matching rules are formed on this basis, and the program automatically Conduct analysis of system vulnerability scans. If, during the scanning of TCP port 80, / cgi-bin / phf or /cgi-bin/Count.cgi is found, based on expert experience and the sharing and standardization of CGI programs, it can be inferred that there are 2 CGIs for the WWW service Loopholes.

1.1 Online host detection

In order to avoid unnecessary empty scans, it is generally necessary to detect whether the host is online before scanning. The implementation principle is similar to the commonly used ping command. The specific method is to send an ICMP message request to the target host, according to the return value to determine whether the host is online. All online network hosts installed with the TCP / IP protocol will respond to such ICMP message requests. This method can not only detect whether the host is online, but also roughly identify the target host operating system according to the TTL value of the ICMP response message (TTL is the time-to-live field in the IP header), and provide a basis for the next scanning work. RFC793 explains how TCP responds to special packets: these responses are based on 2 TCP states, CLOSED and LISTEN.

RFC793 describes that when a port is in the closed state, the following rules must be adopted: (1) Arbitrarily entered information segments containing the RST flag will be discarded. (2) Arbitrarily entered information segments that do not contain the RST flag (such as SYN, FIN, and ACK) will cause a RST to be sent back in the response.

When a port is in the listening state, the following rules will be adopted: (1) Any incoming information segment containing the RST flag will be ignored. (2) Any incoming information segment containing the ACK flag will cause a RST response.

If the SYN bit is set and the incoming message segment is not allowed, it will cause a RST response; if the incoming message segment is allowed, it will cause a SYN | ACK packet to be sent in the response.

In this way, you can verify whether the computer is online by sending 2 ACK packets.

1.2 Port status detection

Send a SYN packet to the host port and wait for a response. If the port is open, the response must be SYN | ACK; if the port is closed, you will receive a RST | ACK response. This scan may be referred to as a half-scan scan. For example, NMAP (Network Mapper) will send a SYN packet to the host during port status detection, and send RST information to notify NMAP if the port is closed. But if NMAP sends a SYN packet to an open port, the port will respond to SYN | ACK packet to NMAP. When NMAP detects the SYN | ACK packet, it automatically responds to the RST, and the RST disconnects it. Under normal circumstances, the computer will not record this situation, but for NMAP it is already known whether the port is open or closed. If the scanned host has a firewall installed, it will filter out the request packet, so that the sender does not get a response.At this time, you need to send the FIN, PSH and URG bits with the flag bit set in the TCP header (where FIN indicates that the sender completes the sending task, PSH indicates that the receiver should deliver this segment to the application layer as soon as possible, and URG indicates that the emergency pointer is valid) echo request request packet. Because some poorly configured firewalls allow these packets to pass through.

1.3 Operating system detection

Each operating system and even each kernel revision have slight differences in the TCP / IP stack, which will directly affect the response to the corresponding data packets. For example, NMAP provides a response list, compares the received response with the responses in the table, and if it can match the response of a certain operating system, it can identify the type of operating system running on the detected host . When conducting network intrusion attacks, it is very important to know the type of operating system, because the attacker can clearly determine what kind of vulnerabilities are applied, or grasp the weaknesses of the system.

2 Main scanning technology

2.1 TCP connect scan

This is the most basic TCP scan. Use the system call connect () provided by the operating system to connect to the port of each interested target computer. If the port is in the listening state, connect () will succeed. Otherwise, the port is unusable, that is, no service is provided. The advantage of this technology is that the response speed is fast, and the user does not need any permission. Any user in the system has the right to use the call. Another advantage is its speed. But the disadvantage is that it is easy to find and easy to filter out. When using this method, the log file of the target computer will display a series of connections and service messages with errors during connection, and can quickly close the connection.

2.2 TCP SYN scan

TCP SYN scanning is a semi-open scanning, the scanning program does not have to open a full TCP connection. The scanner sends SYN packets. Return RST, indicating that the port is not in the listening state; return SYN / ACK information indicates that the port is in the listening state, at this time the scanner must send another RST signal to close the connection process. The advantage of this scanning technique is that it generally does not leave a record on the target computer. But this method must have administrator rights to create its own SYN packet. Usually this condition is easily satisfied.

2.3 TCP FIN scanning

Sometimes SYN scans are not secret enough, firewalls and packet filters will monitor some designated ports and detect these scans. On the contrary, FIN packets may be released without any trouble. The idea of ​​this scanning method is that the closed port will use the appropriate RST to reply to the FIN packet; and the open port will ignore the reply to the FIN packet. But this method is related to the implementation of the system. Some systems respond to RST regardless of whether the port is open or not. This scanning method is not applicable at this time. This method is effective when distinguishing between Unix and NT operating systems.

2.4 IP segment scanning

IP segment scanning does not send TCP probe packets directly, but divides the packet into two smaller IP segments. This divides a TCP header into several packets, making it difficult to detect the filter. However, care must be taken that some programs discard these small packets.

2.5 TCP reverse ident scan

The ident protocol (RFC1413) allows to see the user name of the owner of any process connected via TCP. For example, the user can connect to the http port, and then use identd to discover whether the server is running with administrator privileges. This method can only be used after a complete TCP connection is established with the target port.

2.6 FTP proxy indirect scanning

The FTP protocol supports proxy FTP connections. An attacker can establish a control communication connection between the source host and the target host through the FTP server-PI (protocol interpreter). Then, the server-PI is requested to activate a valid server-DTP (data transmission process) to send information to other hosts. Therefore, an attacker can use proxy service technology to scan the TCP port of the host where the proxy server is located. In this way, the attacker can bypass the firewall and scan the port by connecting to an FTP server inside the firewall. The advantage of this method is that it is difficult to be tracked and can pass through the firewall; its disadvantage is that it is very slow.

2.7 UDP unreachable scan

This method differs from the previous method in that it uses the UDP protocol. The UDP protocol does not respond to requests for data packets, open ports do not send acknowledgments to scan probes, and closed ports do not send error packets. But many hosts return an ICMP_PORT_UNREACH error message when the user sends a data packet to an unopened UDP port. In this way, the attacker can determine which ports are closed. Neither UDP packets nor ICMP error messages are guaranteed to arrive. Therefore, it must be retransmitted when the probe packet appears to be lost during scanning. RFC793 stipulates the rate of ICMP error messages, so this scanning method is very slow.

When non-admin users cannot directly read the port and cannot reach the error message, Linux can indirectly notify the user when they arrive, such as the second write () call to a closed port will fail; in non-blocking UDP When recvfrom () is called on the socket, if the ICMP error message has not arrived, it returns EAGAIN (retry), otherwise it returns ECONNREFUSED (connection refused).

3 Implementation of network scanning detection

Because the network scan first needs to scan the entire network to find the active host (because many subnets are sparsely configured, most IP addresses are empty), and then perform an exhaustive port scan for each active host. Therefore, a network trap machine can be designed to detect network scanning. The principle and implementation process are as follows.

Virtual multiple IP addresses on the network trap machine, these addresses are adjacent to the IP addresses of the hosts that need to be protected, and the services are the same as the open ports and the hosts that need to be protected. The network trap machine is connected to the span port of the switch or router, so that the connection can collect the data flowing through the entire network.

3.1 Packet filtering

The main purpose of packet filtering is to reduce data. In order to prevent packet loss, packet filtering only does simple filtering based on the content of the header (such as IP address, TCP / IP port, TCP flag, etc.), removes the data of the network packets that do not care, and only leaves the header, and The result is stored in the designated database. The amount of network packet data after packet filtering will be greatly reduced. The BNF paradigm of packet filtering rules is described as follows:

For example, in the following rule: "{12,4} == {16,4} 20", it means that if 4 bytes (source IP address) starting from the 12th byte offset are equal to starting from the 16th word The 4 bytes at the beginning of the section offset (destination IP address) will get the first 20 bytes of the packet and discard the rest of the packet. The filtering rules defined by this grammar are simple and the filtering conditions are basically simple comparison operations, which are suitable for computers to process quickly and efficiently.

3.2 Network scanning detection

The inspection program analyzes the specified database file. When the connection record of the IP request with the same source address is greater than a certain threshold, it is considered that the user of this address may be scanning the network, and then this address is reported to the executive program. The executive program discovers the network scan by analyzing all the records of the suspicious IP address within a certain period of time. For example, if it is found that the suspicious IP has made an exhaustive port connection to other hosts, the user with the IP address is considered to be performing a network scan.

However, the IP address of the covert scan is likely to be disguised, and the scan time may also be discontinuous. Therefore, the covert scan may not be detected by the above method.

The purpose of network scanning is to discover active hosts in the network and find out their security vulnerabilities. Therefore, the key protection host with more services and ports open is the focus of the scanner. The detection program analyzes the specified database file and compares the request connection of the protected host and the request connection of the network trap machine with a similar IP address.If the unusual connection within a certain period of time is close, the host at this address may be considered to be scanned . Report this address to the executive program. The executive program analyzes all records of the suspicious host's IP address within a certain period of time. If an exhaustive port connection is found, the host is considered to be scanned by the network.

4 Conclusion

Network scanning is a double-edged sword. Through network scanning, network administrators can detect loopholes in the hosts in the network, so as to find out and fill in the gaps, making the network operation safer and more reliable. However, with the development of network scanning technology, especially the active participation of hackers, network scanning technology has become an act endangering network security. Only effective monitoring of network scanning can protect the network more effectively and bring out the advantages of the network.


1 Fyodor.Remote OS DetecTIon via TCP / IP Stack FingerPrinTIng., 1998

2 Guo XB, Qian DP, Liu M et al.DetecTIon and ProtecTIon Against Network Scanning: IEDP.ICCNMC2001,2001

3 Postel J. Transmission Control Protocol.RFC 793,1981

4 Johns M S. Identification Protocol. RFC 1413, 1993

5 Nothcutt S, translated by Lin Qi. Characteristics and Analysis of Intrusion Detection. Beijing: China Electric Power Press, 2002

6 Liu Min, Guo Xiaobing. Monitoring system for network scanning. Computer Engineering, 2002; 28 (7)

7 Zhu Yanhui, Huang Jialin. Automatic Monitoring of Network Scanning. Computer Application, 2000; 20 (7)

8 Li Suke. Scanner principle and anti-scanning measures. Network security technology and application, 2001; (3)

Plastic Housing Coffee Grinder

Hand Coffee Grinder,Conical Burr Coffee Grinder,Home Coffee Grinder,Plastic Housing Coffee Grinder,blade coffee mill,Automatic burr mill