Common Port-Based Attacks & Defenses

How Port Attacks Work

Every network service listens on a specific port. Attackers probe these ports to find running services, then exploit known vulnerabilities or weak configurations.

Port Scanning

The first step in most attacks is port scanning — systematically checking which ports are open on a target.

Common scan types: - TCP SYN scan — Sends SYN packets, watches for SYN-ACK (half-open scan) - TCP connect scan — Completes the full TCP handshake - UDP scan — Sends UDP packets, slower and less reliable

Commonly Attacked Ports

Port	Service	Common Attack
22	SSH	Brute-force password attacks
23	Telnet	Credential sniffing (unencrypted)
25	SMTP	Open relay spam
80/443	HTTP/HTTPS	Web application attacks (SQLi, XSS)
3306	MySQL	Unauthorized database access
3389	RDP	Brute-force, BlueKeep exploit
5432	PostgreSQL	Unauthorized database access
8080	HTTP Alt	Exposed admin panels

Attack Types

Brute-Force Attacks

Automated tools try thousands of username/password combinations against services like SSH and RDP. Tools like Hydra and Medusa can attempt hundreds of logins per minute.

Service Exploitation

Known vulnerabilities in specific service versions are exploited. For example, an unpatched Apache server might be vulnerable to remote code execution.

Attackers connect to open ports and read the service banner to identify software versions, then search for known vulnerabilities.

Defenses

Close unnecessary ports — Only expose services that need to be public
Use non-standard ports — Move SSH from 22 to a high port (security through obscurity, minor benefit)
Implement fail2ban — Automatically block IPs after repeated failed login attempts
Keep software updated — Patch known vulnerabilities promptly
Use key-based authentication — For SSH, disable password authentication entirely
Network segmentation — Don't expose database ports to the internet
Rate limiting — Throttle connection attempts to prevent brute-force

Common Port-Based Attacks