Crypto Algorithm Question - Port Scan Detector

Hi there,
I'm currently working on a PROJECT (so it can be clear) regarding port scan detection. I am using C language, and running under UNIX environment. I have written a code which is able to read all packets arriving on the device, and extract necessary information such as source & destination addresses, destination port, protocol used... Having done this, I have no idea how to proceed next regarding the actual detection of a port scan...

I have some questions regarding this:

1) How can I know if a port being scanned is "open" or not...is there a certain function in C that checks that? (if the port is closed, and someone sends a packet/request to that port, doesn't it imply that it's an attack??)
2) Also, when I receive the packets, and I want to do a real-time/ live detection, I have to store the packets in someway in order to use them later for the detection: how can I do this?

• Should i create a list/array for each ip address, containing (as each element of the list/array)the ports it tried to access OR

• Should i create a list/array for each available port, containing (as each element of the list/array)the ip addresses which tried to access that port?

Can anybody provide with some info regarding this...I really need some help as I do not know how to proceed from this current point?!

Thanks

Hi,

Have you looked at Snort? It does what you're attempting to do.

A port scan actually checks multiple ports on a host system to see if any are in an "open" or "listening" state. Depending on how sophisticated the attacker is, and more importantly, how patient they are, a scan could take several hours, in order to try and evade time-detection techniques.

I suggest you research a little more about stateful packet inspection, and TCP/IP. It is clearly documented what responses you should expect from a "normal" TCP/IP host in various states, then you can work from there.

The big one is the handling of SYN/ACK/RST packets. This is how a port scanner will determine if a port is open, closed, or listening. A stealth port does NOT respond AT ALL. Some systems that claim to have stealthed ports actually send back RST packets to the connecting host, to close the connection, but these ports are not stealthed. The mere act of sending a RST packet tells the connecting host that something exists.

One thing you need to do is intercept packets before the OS gets them. Quite how you'd do this, I'm not sure, but one method could be to write custom drivers for the hardware and do it that way. That way you're between the OS and the hardware. You'd need to set up a packet sniffer on the same network segment to see exactly what packets are flying around for what request. This will also help you to write your application.

Best regards,
AstroTux.

The details of how to do its depend a fair amount on the OS, Unix is actually not specific enough, HP UX vs AIX etc. Then there are all the Linux.

The key is to get below the kernel, talk to the raw hardware, turn on promiscuous mode, and record everything. There are a fair number of open source tools in this space. Check them out if its allowed by the rules of your project.

And, as I'm sure you know, if you scan ports on most commercial servers, it will really piss off the Sys Admins. Do not do it!

Also check out kismet, which does packet sniffing for Wifi, very interesting to run

On a side-note - look for KUbuntu Linux - it is a security-orientated Linux distro with all manner of "toys". Don't use on ANY live networks though, public or otherwise! Strictly for the comfort of your own LAN. You could possibly face some serious jail time if mis-used.

Potential law-breaking activities include:

* illegal wire-tapping
* illegal interception of communications
* breaking of encryption (very serious!)
* hacking of networks
* DoS attacks resulting in prosecution for interruption with a legitimate business, loss of profits etc..
* possible spying/industrial espionage charges if you hit the wrong systems

That's just for starters...

Best regards,
AstroTux.