Port scanners determine the status of a port by analyzing the target system's responses to specific probe packets. The nature of these responses indicates whether a port is open, closed, or filtered. The interpretation varies between the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
TCP Port Scanning:
One of the most common techniques for TCP is the SYN scan, often referred to as a "half-open" scan. The process involves:
-
Sending a SYN Packet: The scanner transmits a TCP packet with the SYN flag set to the target port, initiating a connection request.
-
Analyzing Responses:
-
SYN-ACK Response: If the target port is open, it replies with a SYN-ACK packet, indicating readiness to establish a connection. The scanner typically responds by sending a RST (reset) packet to terminate the handshake before completion.
-
RST Response: If the port is closed, the target responds with a RST packet, indicating no service is listening on that port.
-
No Response or ICMP Error: If no response is received, or an ICMP unreachable error is returned, it suggests the port is filtered by a firewall or other network device, preventing the probe from reaching the port.
UDP Port Scanning:
UDP scanning is more challenging due to the connectionless nature of the protocol. The typical steps include:
-
Sending a UDP Packet: The scanner sends a UDP packet to the target port.
-
Analyzing Responses:
-
ICMP Port Unreachable Message: If the port is closed, the target often responds with an ICMP message indicating the port is unreachable.
-
No Response: An open port may not respond at all, making it difficult to distinguish between open and filtered ports. Some services might reply with a UDP packet, confirming the port is open.
-
Rate Limiting: Many systems implement rate limiting for ICMP responses, which can slow down UDP scanning and lead to inaccurate results.
Considerations:
-
Accuracy: The reliability of scan results can be affected by network configurations, firewalls, and intrusion detection systems that may block or manipulate responses.
-
Legal Implications: Conducting port scans without permission can be considered intrusive and may violate legal statutes or organizational policies. Always ensure you have authorization before performing such scans.
Understanding these response patterns enables network administrators and security professionals to assess the security posture of systems and identify potential vulnerabilities effectively.
