Abstract
Conventional network intrusion detection systems (NIDS) have heavyweight processing and memory requirements as they maintain per flow state using data structures such as linked lists or trees. This is required for some specialized jobs such as stateful packet inspection (SPI) where the network communications between entities are recreated in their entirety to inspect application-level data. The downside to this approach is that the NIDS must be in a position to view all inbound and outbound traffic of the protected network. The NIDS can be overwhelmed by a distributed denial of service attack since most such attacks try and exhaust the available state of network entities. For some applications, such as port scan detection, we do not need to reconstruct the complete network traffic. We propose integrating a detector into all routers so that a more distributed detection approach can be achieved. Since routers are devices with limited memory and processing capabilities, conventional NIDS approaches do not workwhile integrating a detector in them. We describe a method to detect port scans using aggregation. A data structure called a partial completion filter (PCF) or a counting Bloom filter is used to reduce the per flow state.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
S. Panjwani, S. Tan, K. Jarrin, M. Cukier: An experimental evaluation to determine if port scans are precursors to an attack, Proc. 2005 International Conference on Dependable Systems and Networks (2005) pp. 602–611
E. Mills: Just how vulnerable is the electrical grid? available at http://news.cnet.com/8301-1009_3-10216702-83.html (last accessed April 2009)
S. Gorman: Electricity grid in U.S. penetrated by spies, available at http://online.wsj.com/article/SB123914805204099085.html (last accessed April 2009)
R. Deibert, R. Rohozinski: Tracking GhostNet: Investigating a cyber espionage network, online (March 2009)
M. Allman, V. Paxson, J. Terrell: A brief history of scanning, ACM Internet Measurement Conference 2007 (2007)
E. Skoudis, T. Liston: Counter Hack Reloaded: a Step-by-Step Guide to Computer Attacks and Effective Defenses, 2nd edn. (Prentice Hall, Upper Saddle River, NJ 2005)
Fyodor: The art of port scanning, Phrack Magazine 7(51) (1997), available at http://www.phrack.com/issues.html?issue=51&id=11 (last accessed January 2009)
F. Cohen: Simulating cyber attacks, defenses, and consequences, available at http://www.all.net/journal/ntb/simulate/simulate.html (last accessed April 2009)
A. Varga et al.: OMNeT++ (2009), available at http://www.omnetpp.org (last accessed March 2009)
J. Postel: IANA – Internet Assigned Numbers Authority Port Number Assignment, available at http://www.iana.org/assignments/port-numbers (last accessed April 2009)
O. Maor: Divide and conquer: real world distributed port scanning, RSA Conference, Feb 2006, available at http://www.hacktics.com/frpresentations.html (last accessed March 2008)
S. Staniford, J.A. Hoagland, J.M. McAlerney: Practical automated detection of stealthy portscans, J. Comput. Secur. 10(1/2), 105–136 (2002)
C. Gates, J. McNutt, J. Kadane, M. Kellner: Detecting scans at the ISP level, Tech. Rep. CMU/SEI-2006-TR-005 (Software Engineering Institute, Carnegie Mellon University Pittsburgh, PA 15213, 2006)
Various contributors: Squid: optimizing web delivery, available at http://www.squid-cache.org/ (last accessed March 2008)
L. Heberlein, G. Dias, K. Levitt, B. Mukherjee, J. Wood, D. Wolber: A network security monitor (May 1990) pp. 296–304
M. Roesch: Snort – lightweight intrusion detection for networks, LISA’99: Proc. 13th USENIX conference on System administration (USENIX Association, Berkeley, CA 1999) pp. 229–238
V. Paxson: Bro: a system for detecting network intruders in real-time, Comput. Netw. 31, 23–24 (1999)
J. Jung, V. Paxson, A.W. Berger, H. Balakrishnan: Fast portscan detection using sequential hypothesis testing, Proc. IEEE Symposium on Security and Privacy (2004)
R.R. Kompella, S. Singh, G. Varghese: On scalable attack detection in the network. In: IMC 04: Proc. 4th ACM SIGCOMM Conference on Internet Measurement, ed. by A. Lombardo, J.F. Kurose (ACM Press, Taormina, Sicily, Italy 2004) pp. 187–200
B. Bloom: Space/time trade-offs in hash coding with allowable errors, Commun. ACM 13, 422–426 (1970)
A. Broder, M. Mitzenmacher: Network applications of bloom filters: a survey, Internet Math. 1, 636–646 (2002)
A. Varga, R. Hornig: An overview of the OMNeT++ simulation environment, Simutools ’08: Proc. 1st Int. Conference on Simulation Tools and Techniques for Communications, Networks and Systems and Workshops, ICST, Brussels, Belgium, Belgium (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, 2008) pp. 1–10
A. Varga et al.: INET framework for OMNeT++ 4.0, available at http://inet.omnetpp.org/ (last accessed March 2009)
S. Sinha: TCP state transition diagram, available at http://www.winlab.rutgers.edu/hongbol/tcpWeb/tcpTutorialNotes.html (last accessed April 2009)
M. Baxter: Header drawings, available at http://www.fatpipe.org/mjb/Drawings/ (last accessed April 2009)
Wikipedia: Classless inter-domain routing – Wikipedia, the free encyclopedia, available at http://en.wikipedia.org/w/index.php?title=Classless_Inter-Domain_Rout ing&oldid=281677018 (last accessed April 2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Singh, H., Chun, R. (2010). Distributed Port Scan Detection. In: Stavroulakis, P., Stamp, M. (eds) Handbook of Information and Communication Security. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04117-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-04117-4_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04116-7
Online ISBN: 978-3-642-04117-4
eBook Packages: EngineeringEngineering (R0)