Creative People: IT in Action Highlights
August 29, 2024
Happy New Year
January 2, 2025
As many of us know, a common initial step for an external attacker to perform target reconnaissance (where target here is our network from the external side) and thus identify entry points and vulnerabilities, is the well-known port-scan.
A port-scan is a process at which, in simple terms, an outsider checks each and every port of our public-facing side of the network (usually our edge firewall or a DMZ host) to see if it is open and what it can serve. This process is performed by various specialized tools (a pretty well-known tool is nmap), which with the proper configuration can yield valuable results from some not so well-attended network targets.
Daily I can see in the firewall logs various attempts from multiple sources to connect to ports that are not common and no-one would expect a service to be active; this smells like a port-scan.
Such events have significantly increased since the pandemic, where remote working became a norm. A very common way for remote workers to connect to the office is via Remote Desktop services. Many admins (depending on the network equipment at hand) turned to the port-mapping approach, by using non-standard high ports that map to individual PCs in the office. Attackers know that, so as a means to find those precious RDP ports they select the port-scan technique. Most cases like this are fully automated; the attacker feeds his tools with target IP lists and lets it run until something useful comes up. It’s like hunting by using traps. While the port-scan is running, the firewall of the target network has to do work, as well. Imagine if someone comes and knocks on your door and you have to answer if he can come in or not. Now take into account that you have 65535 ports. That is a lot of work!
So, someone that is not so friendly, should be stopped at a relatively early stage and be discouraged to continue with his wrong-doing. Essentially, you would want to “blacklist” this source and prevent at that point and onward any connections from or to this host. However, it is physically impossible to sit in front of your computer 24-7 just to monitor the connections and deduce which sources need to be blacklisted or not.
A very helpful and low-cost technique to blacklist such threat actors is to select some really uncommon ports (not the ones you run your services on) and add some monitoring rules that wait for connections. If someone tries to connect to those ports then (s)he is your guy. Usually, a quite low-budget or open source firewall has this ability to tag or add the source IP addresses to a list that can be processed later with other firewall rules (eg. if an IP is in this list, drop the packets). Those decoy or “honeypot” ports should be carefully selected though, as we would not want to accidentally blacklist actually needed traffic.
I hope this helps some of you, but rest assured there are many more monsters out there…
[Disclaimer: This article was not written with AI support, so excuse any grammatical errors]
