Information for a Janet organization on scanning activity that may affect their network.

Within an organization’s own network scanning activity may be a legitimate form of audit or of information gathering; but it is almost never acceptable otherwise without the express permission of the managers of the target network.

• If you observe scanning of your own network from outside you are under attack, even though you may not have been singled out as the only target.
• If one of your own systems is scanning addresses anywhere else in Janet or in the Internet, that too is a form of network abuse, and once you notice (or Janet CSIRT tells you) you must ensure that it stops as soon as possible.

Patterns of scanning

Address range scans

The most common pattern is to attempt to connect to the same (TCP or UDP) port or the same small selection of ports at some or all of the IP addresses in some range.
One port, many addresses.

Port scans

In another pattern of scanning, the scanning system attempts to connect to many or all ports on one system at a time.
One address, many ports.

Sequence and speed

A very patient scanner might make connection attempts at a very low rate (one or two a day) from a range of different source addresses, and going through your address range in an apparently random order. To distinguish such a stealth scanning exercise from a collection of accidents with no bearing on the target network will inevitably take some time and is normally impracticable; it would be necessary to find some additional information linking the various packets.

Currently most address scans are much less discreet; a single source address sends packets to the whole of a /24 range in a few minutes or even a few seconds. NetFlow records, or relatively simple selection and sorting of log data, will identify the pattern in the same timescale (although still after the event). Addresses scanned may be in numerical order, and may start with the same /24 or larger range as that in which the source address falls.

It may be that this hasty pattern fits better the usual nature of the scanning system. It is most likely to be compromised, with the scanning being done by a worm or virus program on behalf of a remote unauthorised user who may only have the system available for a short time before its legitimate owner disconnects it or turns it off. The perpetrator has no need to conceal the identity of the computer which is the direct source of the scanning.

Purpose and impact

The abuse which gives rise to scanning is normally an attempt to take control of as many target systems as possible and to install malicious software which at the very least gives unintended access to the intruder or the intruding malware. It may result in the unauthorised transfer of sensitive data, inclusion in a botnet where hundreds of compromised targets are used for some nefarious purpose by a single controller, activity by the target system unintended by its owner, new scanning by the target system, and possibly damage to it.

Notionally the process has several phases:

• identifying a potential target,
• detecting that it is running and connected to the Internet,
• finding whether some particular service is available,
• finding whether the service is vulnerable to the particular method of entry which the scanning computer is attempting,
• and finally sending the data which will cause a target to cooperate in the abuse.

All except the last of these can be regarded as information gathering.

Most commonly all the phases are applied to each target at one time, so that within a few seconds the legitimate user has lost control of their machine. It may also happen that information is gathered in one pass and further processed to identify vulnerable systems or to prepare attacks specific to each of a smaller number of targets which will be revisited later and may then be taken over very quickly.

Response

Scanning directed at your network

If you depend heavily on Network Address Translation (NAT) and use only a few public addresses, the segment of an address range scan which directly affects you will be over before you or any automated system can spot what is going on.

If you have a large external address space and a system to alert you to attempted intrusions, and it has spotted a scanning pattern:

• it may be worth blocking traffic to and from the source address until you believe the scan will have moved out of your address space;
• you should look at any log or flow records you have, try to identify which of your addresses responded in some way to the scan (packets returned, larger flows) and consider checking them;
• you may report the event to Janet CSIRT.

Scanning originating in your network

If you become aware (perhaps because Janet CSIRT have alerted you) that one or more of your computers are scanning addresses outside your network, you MUST stop them as soon as practicable:

• identify the machines concerned using address translation logs (NAT gateway) and login records if necessary;
• remove them from the network if possible;
• make them safe before reconnecting them.

This is the same procedure as for a worm or virus in your network (described in