Port Scanning: Techniques and Defense
Understand how port scanning works and how to defend your network against reconnaissance attacks.
What Is Port Scanning?
Port scanning is a technique used to discover open ports and services on a network host. Tools like Nmap send packets to a range of port numbers and analyze the responses to determine which ports are open, closed, or filtered.
While port scanning is a legitimate tool for network administrators, it is also the first step in most cyberattacks. Attackers use port scans to identify potential entry points before launching exploits.
Common Scanning Techniques
- TCP Connect Scan — Completes the full three-way handshake. Reliable but easily logged
- SYN Scan (Half-Open) — Sends SYN, receives SYN-ACK, then sends RST. Faster and stealthier
- UDP Scan — Sends empty UDP packets. Slow because no response means "open|filtered"
- FIN/Xmas/Null Scans — Send unusual flag combinations to bypass simple firewalls
- ACK Scan — Maps firewall rules by testing which ports allow ACK packets through
Defending Against Port Scans
Firewall configuration is your first line of defense. Deny all inbound traffic by default and only allow ports you explicitly need:
# UFW example: deny all, allow SSH and HTTPS only
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Advanced Defenses
Port knocking requires a specific sequence of connection attempts before a port opens. IDS/IPS systems like Snort or Suricata can detect scan patterns and automatically block the source IP.
Rate limiting is also effective — tools like fail2ban can detect rapid connection attempts across multiple ports and temporarily ban the source address. Reducing your attack surface by disabling unnecessary services is the most fundamental defense.