Distributed Port Scan Detection

Singh, Himanshu; Chun, Robert

doi:10.1007/978-3-642-04117-4_12

Himanshu Singh³ &
Robert Chun³

4496 Accesses
2 Citations

Abstract

Conventional network intrusion detection systems (NIDS) have heavyweight processing and memory requirements as they maintain per flow state using data structures such as linked lists or trees. This is required for some specialized jobs such as stateful packet inspection (SPI) where the network communications between entities are recreated in their entirety to inspect application-level data. The downside to this approach is that the NIDS must be in a position to view all inbound and outbound traffic of the protected network. The NIDS can be overwhelmed by a distributed denial of service attack since most such attacks try and exhaust the available state of network entities. For some applications, such as port scan detection, we do not need to reconstruct the complete network traffic. We propose integrating a detector into all routers so that a more distributed detection approach can be achieved. Since routers are devices with limited memory and processing capabilities, conventional NIDS approaches do not workwhile integrating a detector in them. We describe a method to detect port scans using aggregation. A data structure called a partial completion filter (PCF) or a counting Bloom filter is used to reduce the per flow state.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 349.00; Price excludes VAT (USA)

Softcover Book: USD 449.99; Price excludes VAT (USA)

Hardcover Book: USD 599.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

S. Panjwani, S. Tan, K. Jarrin, M. Cukier: An experimental evaluation to determine if port scans are precursors to an attack, Proc. 2005 International Conference on Dependable Systems and Networks (2005) pp. 602–611
Google Scholar
E. Mills: Just how vulnerable is the electrical grid? available at http://news.cnet.com/8301-1009_3-10216702-83.html (last accessed April 2009)
S. Gorman: Electricity grid in U.S. penetrated by spies, available at http://online.wsj.com/article/SB123914805204099085.html (last accessed April 2009)
R. Deibert, R. Rohozinski: Tracking GhostNet: Investigating a cyber espionage network, online (March 2009)
Google Scholar
M. Allman, V. Paxson, J. Terrell: A brief history of scanning, ACM Internet Measurement Conference 2007 (2007)
Google Scholar
E. Skoudis, T. Liston: Counter Hack Reloaded: a Step-by-Step Guide to Computer Attacks and Effective Defenses, 2nd edn. (Prentice Hall, Upper Saddle River, NJ 2005)
Google Scholar
Fyodor: The art of port scanning, Phrack Magazine 7(51) (1997), available at http://www.phrack.com/issues.html?issue=51&id=11 (last accessed January 2009)
F. Cohen: Simulating cyber attacks, defenses, and consequences, available at http://www.all.net/journal/ntb/simulate/simulate.html (last accessed April 2009)
A. Varga et al.: OMNeT++ (2009), available at http://www.omnetpp.org (last accessed March 2009)
J. Postel: IANA – Internet Assigned Numbers Authority Port Number Assignment, available at http://www.iana.org/assignments/port-numbers (last accessed April 2009)
O. Maor: Divide and conquer: real world distributed port scanning, RSA Conference, Feb 2006, available at http://www.hacktics.com/frpresentations.html (last accessed March 2008)
S. Staniford, J.A. Hoagland, J.M. McAlerney: Practical automated detection of stealthy portscans, J. Comput. Secur. 10(1/2), 105–136 (2002)
Google Scholar
C. Gates, J. McNutt, J. Kadane, M. Kellner: Detecting scans at the ISP level, Tech. Rep. CMU/SEI-2006-TR-005 (Software Engineering Institute, Carnegie Mellon University Pittsburgh, PA 15213, 2006)
Google Scholar
Various contributors: Squid: optimizing web delivery, available at http://www.squid-cache.org/ (last accessed March 2008)
L. Heberlein, G. Dias, K. Levitt, B. Mukherjee, J. Wood, D. Wolber: A network security monitor (May 1990) pp. 296–304
Google Scholar
M. Roesch: Snort – lightweight intrusion detection for networks, LISA’99: Proc. 13th USENIX conference on System administration (USENIX Association, Berkeley, CA 1999) pp. 229–238
Google Scholar
V. Paxson: Bro: a system for detecting network intruders in real-time, Comput. Netw. 31, 23–24 (1999)
Google Scholar
J. Jung, V. Paxson, A.W. Berger, H. Balakrishnan: Fast portscan detection using sequential hypothesis testing, Proc. IEEE Symposium on Security and Privacy (2004)
Google Scholar
R.R. Kompella, S. Singh, G. Varghese: On scalable attack detection in the network. In: IMC 04: Proc. 4th ACM SIGCOMM Conference on Internet Measurement, ed. by A. Lombardo, J.F. Kurose (ACM Press, Taormina, Sicily, Italy 2004) pp. 187–200
Google Scholar
B. Bloom: Space/time trade-offs in hash coding with allowable errors, Commun. ACM 13, 422–426 (1970)
Article MATH Google Scholar
A. Broder, M. Mitzenmacher: Network applications of bloom filters: a survey, Internet Math. 1, 636–646 (2002)
MathSciNet Google Scholar
A. Varga, R. Hornig: An overview of the OMNeT++ simulation environment, Simutools ’08: Proc. 1st Int. Conference on Simulation Tools and Techniques for Communications, Networks and Systems and Workshops, ICST, Brussels, Belgium, Belgium (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, 2008) pp. 1–10
Google Scholar
A. Varga et al.: INET framework for OMNeT++ 4.0, available at http://inet.omnetpp.org/ (last accessed March 2009)
S. Sinha: TCP state transition diagram, available at http://www.winlab.rutgers.edu/hongbol/tcpWeb/tcpTutorialNotes.html (last accessed April 2009)
M. Baxter: Header drawings, available at http://www.fatpipe.org/mjb/Drawings/ (last accessed April 2009)
Wikipedia: Classless inter-domain routing – Wikipedia, the free encyclopedia, available at http://en.wikipedia.org/w/index.php?title=Classless_Inter-Domain_Rout ing&oldid=281677018 (last accessed April 2009)

Download references

Author information

Authors and Affiliations

Department of Computer Science, San Jose State University, San Jose, CA, USA
Himanshu Singh & Robert Chun

Authors

Himanshu Singh
View author publications
You can also search for this author in PubMed Google Scholar
Robert Chun
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Technical University of Crete, 73132, Chania, Crete, Greece
Peter Stavroulakis
Dept. Computer Science, San Jose State University, One Washington Square, 95192, San Jose, CA, USA
Mark Stamp

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Singh, H., Chun, R. (2010). Distributed Port Scan Detection. In: Stavroulakis, P., Stamp, M. (eds) Handbook of Information and Communication Security. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04117-4_12

Download citation

DOI: https://doi.org/10.1007/978-3-642-04117-4_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04116-7
Online ISBN: 978-3-642-04117-4
eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics