DOCSLIB.ORG

Effective Detecting Method of Nmap Idle Scan

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Effective Detecting Method of Nmap Idle Scan Journal of JAITC, Vol. 9, No. 1, pp.1-10, Jul. 31, 2019 1 http://dx.doi.org/10.14801/JAITC.2019.9.1.1 Effective Detecting Method of Nmap Idle Scan Jungsik Hwang1, Minsoo Kim2* 1Interdisciplinary Program of Information & Protection Graduate School, Mokpo National University 2Dept. of Information Security, Mokpo National University [email protected], https://orcid.org/0000-0003-2782-1514, [email protected], https://orcid.org/0000-0001-7056-1952, *(Corresponding Author) Abstract In recent years, information collection of attacks through stealth port scanning technology has become more sophisticated. The most commonly used Nmap port scanner supports a variety of stealth scanning technologies along with the existing scanning techniques. Nmap also supports Idle scan that is different from conventional stealth scans. This is a more sophisticated stealth scan technique by applying the SYN scan and ACK scan techniques. In previous studies, the detection of Idle scanning was on zombie system, but was not on victim system. In this paper, we propose an effective detection method of Idle scan on victim system. The Idle scanning is composed of two stages; they are probing the zombie and victim system and scanning the victim system. We analyzed the characteristics of the two stages. The characteristics, we captured, are that SYN and RST packets are different from normal packet. We applied them to detection method, then Idle scanning is detected effectively. Keywords: Nmap, Idle scan, port scanner, probe, zombie PC 1. Introduction A cyberattack usually starts with vulnerability scanning. Accordingly, vulnerability scanning methods have been developed. Scanned objects are diversified into OS, Network and service. After an attacker gathered various information through the scanning, he attacks using the information. According to the InfoSec Report provided by SANS [1] from 2016 to 2018, there is an increase in port scanning attacks on services. The graph in Figure 1 represents the number of scans for the service port numbers provided on the network. Port scan techniques have been developed in various ways. Many tools for such attacks have also been developed. The typical attack tools are Nmap port scanner and McAfee- developed SuperScan scanner. These tools not only provide a common connection scan to detect open ports, but also provide the stealth scan techniques to avoid logging on victim systems. Many countermeasures against such stealth scan techniques have been proposed. Received: Dec. 10, 2018 Revised: Jan. 24, 2019 Accepted: Jan. 27, 2019 pISSN 2234-3072/eISSN 2234-0963 Copyright ⓒ KIIT J. Hwang et al.; Effective Detecting Method of Nmap Idle Scan 2 Figure 1. SANS InfoSec report (PortScan) FIN scan, NULL scan, XMAS scan and ACK scan among the stealth scans use wrong TCP flags. The detection method of them is checking the TCP flags in TCP connection. In addition, the Idle scan [2] provided by Nmap performs a SYN port scan attack using a zombie PC. The victim system recognizes the zombie PC as an attacker and responds to it. The attacker can create new attack opportunities using the other zombie PC, even if the victim detects and blocks the zombie PC. Patel [3] proposed a detection method for Idle scan. But there is a high possibility of false positives due to network environment between zombie PC and victim. In this paper, we propose the effective detection method of Idle scan. To do this, we analyze the scanning process and packets of Nmap Idle scan. Nmap Idle scan was composed of two stages; the probing and scanning. We found the characteristics of the SYS/ACK packets in the probing stage and the RST packets of zombie PC against the scanning. Therefore, we propose a detection method for Nmap Idle scan by comparing SYN/ACK and RST packets with the characteristics that we found. 2. Related Work A port scan is an attack that detects an open port on a particular system using specific program or technique. Port scan attacks in Nmap have two basic operating principles: Positive scan and Negative scan [4]. Positive scan uses packets that are answered by the open ports of the system, which are SYN scan, ACK scan, Idle scan, Ping scan and Connect scan. Negative scan uses packets that are answered by the closed ports of the system, which are FIN scan, NULL scan and XMAS scan. 2.1 Port scan tools There are a variety of tools that support port scans. Nmap and SuperScan support stealth scans and normal port scans. 2.1.1 Nmap pISSN 2234-3072/eISSN 2234-0963 Copyright ⓒ KIIT Journal of JAITC, Vol. 9, No. 1, pp.1-10, Jul. 31, 2019 3 http://dx.doi.org/10.14801/JAITC.2019.9.1.1 Nmap is a scanning tool that has been under study since September 1997 [5]. The functions of Nmap are host detection, TCP/UDP port scanning, and OS(Operating System) detection. Nmap uses ping responses to detect hosts connected on the network. The port scan of Nmap lists open ports and services of target computers. Nmap detects the OS version using a different response for each OS and network devices. 2.1.2 SuperScan Superscan is offered by McAfee. SuperScan 3.0 and 4.0 can scan TCP and UDP ports such as Nmap. In addition, they can check the services using the ports and execute user queries. SuperScan4.0 additionally supports SYN scan. 2.2 Stealth Scan Detection The stealth scan [6] includes SYN, ACK, FIN, NULL, XMAS, and Idle scans. These technique is characterized by not leaving a log information on the victim system during the scanning process. So hackers often use the stealth scan to avoid leaving traces. Efficient Port Scan Detection Rules (EPSDR) [7] shows the method to detect SYN, FIN, NULL, and XMAS scans through the flag value of TCP packet header. EPSDR uses Snort to realize the method. For detecting these scans, EPSDR proposed Snort rules to check TCP flags of TCP packet header. EPSDR detects a scanning attack as SYN scan when Reserved bit 1, 2, and SYN flag are set. Likewise, EPSDR detects it as FIN scan when FIN flag is set and session is not established, NULL scan when all TCP flags are not set, and XMAS scan when FIN, PSH, and URG flags are set. Patel [3] proposed a method to detect Idle scan using Snort. The method is to check increasing IPid value, which is a characteristic of the idle scan. He explained that IPid value of the RST packet, which is the response packet from the zombie PC, increased by 2 during Idle scan. He collected RST packets from the zombie PC and compared IPid value of each other to detect Idle scan. However, if there are several sessions in the network, the IPid value of the RST packet can be changed by another session. This means that there is possibility of false alarms. 3. Analysis of Nmap Idle Scan Principle Nmap manually creates the packet to perform stealth scan, So Nmap packets have different characteristics from normal packets. Nmap Idle scan includes features of SYN and ACK scans. 3.1 Characteristics of SYN Scan Figure 2 shows the SYN scanning process. SYN scan uses half-open connection to target system [8]. In normal connection, the SYN packet is transmitted using connect system call. In step 3 in Figure 2, the packet is transmitted with raw socket made by Nmap instead of the system call. When raw sockets are used, the attacker does not leave any information in the own local TCP/IP stack [9]. Therefore, the attacker system judges that the SYN/ACK packet returned from the victim system is an unauthorized TCP handshake as in step 5 to 6. Because of this process, the system, instead of Nmap, sends RST packet back to the victim system. pISSN 2234-3072/eISSN 2234-0963 Copyright ⓒ KIIT J. Hwang et al.; Effective Detecting Method of Nmap Idle Scan 4 Figure 2. SYN scanning process Table 1 shows the packet characteristics of SYN scan supported by Nmap. The characteristics of the SYN scan packet are as follows: The length of the TCP header is 24 bytes, and the window size is set 1024 to 4096 in most cases. The TTL has a random value in the range of 37 to 59, and the TCP option value is fixed to \x02\x04\x05\xb4. The source port of SYN scan packets is a random number, and the destination port is an import service ports of the target. Table 1. Nmap SYN scan packet features SYN packet Packet option Explanation TCP length 24 Bytes Window size 1024 ~ 4096 Bytes TTL 37 ~ 59 Source port Random number Option \x02\x04\x05\xb4 TimeiInterval One packet in 0.01 seconds 3.2 Characteristics of ACK Scan Figure 3 shows the ACK scanning process. The attacker sends ACK packet to the victim system, then the victim regards the ACK packet as an inappropriate response. This is because there is no connection information with the attacker system in the victim system's local TCP/IP stack. pISSN 2234-3072/eISSN 2234-0963 Copyright ⓒ KIIT Journal of JAITC, Vol. 9, No. 1, pp.1-10, Jul. 31, 2019 5 http://dx.doi.org/10.14801/JAITC.2019.9.1.1 Figure 3. ACK scanning process 3.3 Characteristics of Idle Scan Idle scan is a stealth port scan using zombie PC. The zombie PC used for Idle scan is a system that is rarely used or is already occupied by an attacker. Idle scan can hide the position of the attacker by keeping the zombie PC in the middle. Therefore, the information of attacker does not remain in the victim system after scanning [2].
Load more

Recommended publications
  • Inferring TCP/IP-Based Trust Relationships Completely Off-Path
    ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path Xu Zhang Jeffrey Knockel Jedidiah R. Crandall Department of Computer Science Department of Computer Science Department of Computer Science University of New Mexico University of New Mexico University of New Mexico [email protected] [email protected] [email protected] Abstract—We present ONIS, a new scanning technique that researcher in country X who wants to learn if network traffic can perform network measurements such as: inferring TCP/IP- from a host in country Y can connect to a Tor server in country based trust relationships off-path, stealthily port scanning a Z. Performing this measurement off-path is necessary when target without using the scanner’s IP address, detecting off- path packet drops between two international hosts. These tasks vantage points (VPNs, Planet Lab nodes, etc.) are limited or typically rely on a core technique called the idle scan, which is unavailable in some countries. Ensafi et al. detail this off- a special kind of port scan that appears to come from a third path trust relationship testing by using the idle scan in [2]. machine called a zombie. The scanner learns the target’s status Specifically, they measured packet drops from clients to Tor from the zombie by using its TCP/IP side channels. directory servers by using machines with global incrementing Unfortunately, the idle scan assumes that the zombie has IP identifiers (IPIDs) which exhibit the now-discouraged behavior IPIDs as vantage points without those machines being under of being globally incrementing. The use of this kind of IPID their control.
    [Show full text]
  • Red Hat Enterprise Linux 3 Security Guide
    Red Hat Enterprise Linux 3 Security Guide Red Hat Enterprise Linux 3: Security Guide Copyright © 2003 by Red Hat, Inc. Red Hat, Inc. 1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA rhel-sg(EN)-3-Print-RHI (2003-07-25T17:12) Copyright © 2003 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. Red Hat, Red Hat Network, the Red Hat "Shadow Man" logo, RPM, Maximum RPM, the RPM logo, Linux Library, PowerTools, Linux Undercover, RHmember, RHmember More, Rough Cuts, Rawhide and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Motif and UNIX are registered trademarks of The Open Group. XFree86 is a trademark of The XFree86 Project, Inc, and is pending registration. Intel and Pentium are registered trademarks of Intel Corporation. Itanium and Celeron are trademarks of Intel Corporation. AMD, Opteron, Athlon, Duron, and K6 are registered trademarks of Advanced Micro Devices, Inc.
    [Show full text]
  • Design and Implementation of Port Scanner and Sniffer
    DESIGN AND IMPLEMENTATION OF PORT SCANNER AND SNIFFER 1Snehal Dhabarde, 2Reshma Zade,3Nayan Paraswar, 4Samruddhi Sonak, Department of Information Technology, Rajiv Gandhi College of Engineering and Research Nagpur Email:[email protected],[email protected],3nayanparaswar [email protected],[email protected] Abstract: A port scanner is a piece of software Port scanning has different legitimate uses that it designed to search a network host for open performs in a system. It can be used to send a ports. The only way to track open ports is by request to connect to the aimed computer and using a port scanner, and the most accurate note the ports that responds or appears to open. port scanner will be an online port scan. This Port scanning is also used to configure project aims at the creation of a applications for network security to inform the comprehensive application, which can be used administrators in case they detect some at corporate environments. The port scanner connections across a wide range of ports from a and sniffer software is as simple as possible so single host. Port scanning may involve all of the that it can be configured even by a 65,535 ports or only the ports that are well- nontechnical person. This is often used by known to provide services vulnerable to different administrators to check the security of their security related exploits. If a port on a remote networks and by hackers to compromise it. host is open for incoming connection requests The main objective of this project is to scan and you send it a SYN packet, the remote host the various ports within a specified range.
    [Show full text]
  • TV Superscan 2 Enhanced Users Guide
    TV Superscan 2 Enhanced Users Guide To Reset the TV SuperScan Unit: 1. Unplug Power from Unit 2. Press & Hold “Select” and “Zoom” buttons at the same time. 3. While holding buttons, plug in power. When red lights on, release the two buttons. 4. If you get some output on the screen press the “Zoom” button once more to complete the reset procedure. © 1998 ADS Technologies. All Rights Reserved First Edition: Revision 1.0 April, 1998 Microsoft, MS-DOS, Windows, and Windows 95 and Windows 98 are registered trademarks of Microsoft Corporation. IBM is a registered trade- mark of International Business Machines, Inc. ADS is a registered trademark of ADS Technologies Inc. ADS Technologies (ADS) makes no warranty of any kind with regard to this material, including but not limited to, the implied warranties of mer- chantability and fitness for a particular purpose. The information furnished within this written document is for information purposes only and is sub- ject to change without notice. ADS Technologies assumes no responsi- bility or liability for any errors or inaccuracies that may appear herein. ADS makes no commitment to update or to keep current information contained within this document. Table of Contents A Letter from the President of ADS . 6 Introduction . 7 System Requirements . 7 Package Contents . 8 Chapter 1 Installation Guide . 9 Installing the Hardware . 11 Connecting to a Desktop Computer . 11 Connecting to a Laptop Computer . 14 Connection Diagrams. 16 Desktop Connection Diagram . 16 Laptop Connection Diagram . 16 Chapter 2 TV Superscan 2 Enhanced . 17 Overview . 19 Menu/Enter Button . 19 Select .
    [Show full text]
  • GL550 Enterprise Linux Security Administration
    EVALUATION COPY Unauthorized Reproduction or Distribution Enterprise LinuxProhibited Security Administration Student Workbook EVALUATION COPY Unauthorized Reproduction GL550 ENTERPRISE LINUX SECURITY ADMINISTRATION RHEL7 SLES12 or Distribution The contents of this course and all its modules and related materials, including handouts to audience members, are copyright ©2017 Guru Labs L.C. No part of this publication may be stored in a retrieval system, transmitted or reproduced in any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other record, without the prior written permission of Guru Labs. This curriculum contains proprietary information which is for the exclusive use of customers of Guru Labs L.C., and is not to be shared with personnel other than those in attendance at this course. This instructional program, including all material provided herein, is supplied without any guarantees from Guru Labs L.C. Guru Labs L.C. assumes no liability for damages or legal action arising from Prohibited the use or misuse of contents or details contained herein. Photocopying any part of this manual without prior written consent of Guru Labs L.C. is a violation of federal law. This manual should not appear to be a photocopy. If you believe that Guru Labs training materials are being photocopied without permission, please email [email protected] or call 1-801-298-5227. Guru Labs L.C. accepts no liability for any claims, demands, losses, damages, costs or expenses suffered or incurred howsoever arising from or in
    [Show full text]
  • Hacking Techniques & Intrusion Detection
    Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons “Share Alike” license. • http://creativecommons.org/licenses/by-sa/3.0/ 2 # whoami • Ali Al-Shemery • Ph.D., MS.c., and BS.c., Jordan • More than 14 years of Technical Background (mainly Linux/Unix and Infosec) • Technical Instructor for more than 10 years (Infosec, and Linux Courses) • Hold more than 15 well known Technical Certificates • Infosec & Linux are my main Interests 3 Scanning and Fingerprinting Outline • Diving into Important Network Protocols (TCP, UDP, ICMP, ARP, etc) • Nmap – Intro. • Host Discovery • Tracing the Route • Port Scanning • OS and Service Fingerprinting • Learning Python in 4 Slides • Packet Crafting 5 Diving into Important Network Protocols • Diving into Important Network Protocols: – TCP – UDP – ICMP – ARP – HTTP – etc 6 Nmap • "Network Mapper” is a free and open source utility for network discovery and security auditing. - Fyodor • IMO: #1 tool in your security arsenal! Important Note: A huge difference between running Nmap as a privileged/unprivileged user! 7 Host Discovery • Identifying Live Systems • Also called “Network Sweep” • Nmap ping sweeps: – Ping Only (-sP) – ARP Ping (-PR) – ICMP Echo Request Ping (-PE) – TCP SYN Ping (-PS) – TCP ACK Ping (-PA) – UDP Ping (-PU) DEMO 8 Assignment #1 • Why do host discovery or network sweeping if we already have the target list of IP(s)? 9 Tracing the Route • Nmap --traceroute option • DEMO DEMO 10 Port Scanning • The act of testing a remote
    [Show full text]
  • How to Scan a Network with Hping3
    How To Scan a Network With Hping3 Hping3 Hping3 is a command-line oriented TCP/IP packet assembler and analyser and works like Nmap. The application is able to send customizes TCP/IP packets and display the reply as ICMP echo packets, even more Hping3 supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features like DDOS flooding attacks. Hping3 can be used to perform: OS fingerprinting ICMP pings Traceroute Port scanning Firewall testing Test IDSes Network testing and auditing MTU discovery Exploit and vulnerabilities discovery DDOS and ICMP flooding Hping3 comes pre-installed with Kali Linux but and can also be installed on most Linux distros, also you need to run the commands with sudo privileges. Visit the official documentation at to learn more on how you can use Hping3 http://www.hping.org/documentation.php Useful Options -h Show this help -v Show version -c Packet count -i –interval –flood -V Verbose mode -D Debugging -f Fragment packets -Q Display sequence number -0 RAW IP mode -1 ICMP mode -2 UDP mode -8 SCAN mode -9 listen mode -F Set the FIN flag -S Set the SYN flag -P Set the PUSH flag -A Set the ACK flag -U Set the URG flag Commands Send a ACK packet to a target hping3 –A 192.168.100.11 HPING 192.168.100.11 (eth0 192.168.100.11): A set, 40 headers + 0 data bytes len=46 ip=192.168.100.11 ttl=128 id=29627 sport=0 flags=R seq=0 win=32767 rtt=4.0 ms len=46 ip=192.168.100.11 ttl=128 id=29628 sport=0 flags=R seq=1 win=32767 rtt=2.0 ms len=46 ip=192.168.100.11
    [Show full text]
  • Know Your Network
    Know Your Network Network Security Assessment Chris McNab CHAPTERChapter 4 4 IP Network Scanning This chapter focuses on the technical execution of IP network scanning. After under- taking initial reconnaissance to identify IP address spaces of interest, network scan- ning builds a clearer picture of accessible hosts and their network services. Network scanning and reconnaissance is the real data gathering exercise of an Internet-based security assessment. The rationale behind IP network scanning is to gain insight into the following elements of a given network: • ICMP message types that generate responses from target hosts • Accessible TCP and UDP network services running on the target hosts • Operating platforms of target hosts and their configuration • Areas of vulnerability within target host IP stack implementations (including sequence number predictability for TCP spoofing and session hijacking) • Configuration of filtering and security systems (including firewalls, border rout- ers, switches, and IDS sensors) Performing both network scanning and reconnaissance tasks paints a clear picture of the network topology and its security mechanisms. Before penetrating the target net- work, further assessment steps involve gathering specific information about the TCP and UDP network services that are running, including their versions and enabled options. ICMP Probing The Internet Control Message Protocol (ICMP) identifies potentially weak and poorly protected networks. ICMP is a short messaging protocol that’s used by sys- tems administrators and end users for continuity testing of networks (e.g., using the ping or traceroute commands). From a network scanning and probing perspective, the following types of ICMP messages are useful: 36 This is the Title of the Book, eMatter Edition Copyright © 2004 O’Reilly & Associates, Inc.
    [Show full text]
  • Nmap Tutorial 1/10 2004-10-10 Lätt Redigerad Av Jan-Erik Jonsson
    NMap tutorial 1/10 2004-10-10 Lätt redigerad av Jan-Erik Jonsson Basic Scan Types [-sT, -sS] TCP connect() Scans [-sT] SYN Stealth Scanning [-sS] FIN, Null and Xmas Tree Scans [- sF, -sN, -sX] Ping Scanning [-sP] UDP Scans [-sU] IP Protocol Scans [-sO] Idle Scanning [-sI] ACK Scan [-sA] Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] Timing And Hiding Scans Timing Decoys FTP Bounce Turning Pings Off Fragmenting Idle Scanning http://www.security-forums.com/forum/viewtopic.php?t=7872 NMAP - A Stealth Port Scanner by Andrew J. Bennieston 1 INTRODUCTION ................................................................................................................................................. 2 2 DISCLAIMER...................................................................................................................................................... 2 3 BASIC SCAN TYPES [-ST, -SS] ........................................................................................................................... 2 3.1 TCP connect() Scans [-sT]........................................................................................................................ 2 3.2 SYN Stealth Scanning [-sS]....................................................................................................................... 2 4 FIN, NULL AND XMAS TREE SCANS [-SF, -SN, -SX] ......................................................................................... 3 5 PING SCANNING [-SP] ......................................................................................................................................
    [Show full text]
  • Surveying Port Scans and Their Detection Methodologies
    Surveying Port Scans and Their Detection Methodologies Monowar H Bhuyan1, D K Bhattacharyya1 and J K Kalita2 1Department of Computer Science & Engineering Tezpur University Napaam, Tezpur, Assam, India 2Department of Computer Science University of Colorado at Colorado Springs CO 80933-7150, USA Email: mhb,dkb @tezu.ernet.in, [email protected] { } Scanning of ports on a computer occurs frequently on the Internet. An attacker performs port scans of IP addresses to find vulnerable hosts to compromise. However, it is also useful for system administrators and other network defenders to detect port scans as possible preliminaries to more serious attacks. It is a very difficult task to recognize instances of malicious port scanning. In general, a port scan may be an instance of a scan by attackers or an instance of a scan by network defenders. In this survey, we present research and development trends in this area. Our presentation includes a discussion of common port scan attacks. We provide a comparison of port scan methods based on type, mode of detection, mechanism used for detection, and other characteristics. This survey also reports on the available datasets and evaluation criteria for port scan detection approaches. Keywords: TCP/IP, UDP, OS fingerprinting, coordinated scanning Received 21 May 2010; revised 23 August 2010 1. INTRODUCTION similar, except that a positive response from the target results in further communication to determine whether The Internet is a complex entity comprised of diverse the target is vulnerable to a particular exploit. As can networks, users, and resources. Most users are oblivious be found in [3], most attacks are preceded by some form to the design of the Internet and its components and of scanning activity, particularly vulnerability scanning.
    [Show full text]
  • Censored Planet: Global Censorship Observatory
    Censored Planet: Global Censorship Observatory Roya Ensafi University of Michigan Dec 27,2018 In my research lab, we ... develop frameworks to detect network interference, apply these frameworks to understand the behavior of network intermediaries, and use this understanding to defend against interference by building tools that safeguard users. Reports suggest Internet censorship practices are at rise! Network Interference Can Happen on Any Layer 1 A user types www.cnn.com into the browser 2 OS sends a DNS query to learn the IP address 3 Browser fetches the website Authoritative 4 Browser loads third-party resources DNS resolver DNS resolver www.cnn.com Server CDN PoP Home ISP User gateway router ISP router Server Transit Client Side Network Server Side Network Interference Can Happen on Any Layer 1 A user types www.cnn.com into the browser 2 OS sends a DNS query to learn the IP address 3 Browser fetches the website 4 Browser loads third-party resources DNS resolver www.cnn.com Server CDN PoP Home ISP User gateway router ISP router Server Transit Client Side Network Server Side Measuring Censorship is a Complex Problem! Internet censorship practices are diverse in their methods, targets, timing, differing by regions, as well as across time. Why Measure Censorship? NETWORK CENSORSHIP IS ON THE RISE ● Information controls harm citizens ● Spreading beyond the large powers ● Frequently opaque in topic & technique WE NEED DATA TO: ● Support transparency & accountability ● Improve technological defenses ● Inform users & public policy Why Measure
    [Show full text]
  • Evaluation of Network Port Scanning Tools
    Evaluation of Network Port Scanning Tools Nazar El-Nazeer and Kevin Daimi Department of Mathematics, Computer Science and Software Engineering University of Detroit Mercy, 4001 McNichols Road, Detroit, MI 48221 {elnazen, daimikj}@udmercy.edu ABSTRACT implies protecting data and information from attacks during their transmission from the source to destination. Attackers can detect the vulnerabilities in networks and Neglecting network port scans could result in possibly pose enormous threats in these situations. To unavoidable consequences. Network attackers prevent problems, cryptology provides the most continuously monitor and check communication ports promising measures to deter, prevent, detect, and correct looking for any open port. To protect computers and security violations. networks, computers need to be safeguarded against applications that aren't required by any function To protect computer networks, a number of protection currently in use. To accomplish this, the available ports tasks need to be implemented. These tasks are needed and the applications utilizing them should be to enforce the security for wireless network, electronic determined. This paper attempts to evaluate eight port mail, IP, and at the transport level. Furthermore, these scanning tools based on fifteen criterions. The criteria tasks should efficiently deal with intruders and were reached after fully testing each tool. The malicious software [23]. outcomes of the evaluation process are discussed. Internet and web are tremendously vulnerable to various Keywords attacks. Therefore securing web services is a critical requirement. In particular, security at the transport layer Network Security, Evaluation Criteria, Network must never be overlooked. The subdivision of the Security Tools, Network Port Scanning Internet by the transport layer presents ample outcomes both in the way in which business is performed on the network and with regard to the vulnerability caused by I.
    [Show full text]