posted Dec 15, 2000

Port Scanning
12/15/2000; 1:24:26 PM

I tried to find a decent definition of port scanning on the web, but I can't find one to my satisfaction. They either resort to ill-advised metaphors or panicky ohmigoshHACKERS!-style definitions. So here's my take on it:

The "port" in "port scanning" refers to TCP/IP ports. The internet protocol that we all use defines about 60,000 "ports" on each computer, which a program can "listen" to in order to recieve communication on the Internet. For instance, web servers typically listen on "port 80". There are some other accepted port numbers, but any program can listen on any port.

The reason these ports are necessary is that one computer can (and usually does) run multiple network services, so in order to use a specific service you have to be more specific then just the machine the service is running on. It's somewhat similar to telephone numbers, which have area codes and then more digits for the local connection. You can't just call "Area code 517"... you have to call a number in that area code. And so it is with ports... you can't say "Connect to"... you need to connect on port 80.

You generally don't see this, because the standard ports are filled in for you. Windows file sharing always runs on the same ports. Web servers almost always run on port 80. If you ever see a URL that has a colon in it, followed by a number, that's telling the browser to connect to a different port. (You might see this in Radio Userland if you tell it to use a port other then 80, then look at your Live Outline or some other local file in the browser.) For example, still connects to iRights. The browser would have connected on port 80 anyhow. doesn't work; there's no webserver on port 7439.

Thus, when someone runs a port scan, they are looking through the available ports to see if anything is listening on those ports. There are a lot of ways to do port scanning; you might scan all the ports on one computer (which takes a while), or you might scan for all computers in a certain address block to see if anything is running on port 80 (in other words, running a web server).

Further refinements and more sophisticated techniques allow port scanning programs (like nmap) to make educated guesses about what a computer is running, and what operating system the computer is running.

Port scanning programs are information gathering tools. Port scanners have gotten their undeserved bad reputation because that information is often used by a cracker to learn where the vulnerabilities of a computer are and to crack into them. This is typically done by using one of the sophisticated scanners to scan what software a system is running and then matching that against a list of software vulnerabilities.

Port scanners have a number of legitimate uses. I've used them to secure my own computers. Port scanners told me that I was still running services I thought I had disabled, so I was able to make sure I disabled them. Who knows what trouble that has saved me? Further, the very people who often tell you how evil port scanners are and try to scare you about them, the Internet service providers (esp. DSL, cable, and other "always on" services), often use them to make sure their customers are in compliance with the user agreements to not run servers. Putting aside the issue of hypocrisy, this goes to show that for network administrators and others who deal with networks, they are a tool, not the inherently evil thing many people think they are.

Practically speaking, if your computer is port scanned (which you can detect with a tool like Zone Alarm), it might be a preliminary to a cracker's attack. Then again, it might not be. While nearly all cracking attacks will start with a port scan, the vast majority of port scans are not the beginning of a crack attack. For the most part, it's not worth panicking over unless there's other evidence that something shady is afoot.

Many people liken port scanning to walking down the street seeing who has doors open, others liken it to trying the doors to see if they are locked, others to trying to go inside. Some liken it to private residences, others to public areas. I'm pretty sure I've seen one person or another espouse all six combinations of those ideas. The simplest answer to all of these metaphors is that they are all wrong. Port scanning is a little like each of those, but not enough to make it worth making the comparision. Resist the temptation to try to reduce this to a metaphor. Port scanning is a tool and it does no harm to scanned computers. The really importent question is what the person doing the scanning does with knowlege.


Site Links


All Posts