Previous Section  < Day Day Up >  Next Section

Considerations for Port Scanning

When planning to do port scanning of any network, keep in mind that this activity is very network intensive. Scanning tens of thousands of ports in a short amount of time puts lot of traffic on the network. If your scanning machine is very fast and it is scanning on an older 10Mbps network, this can significantly affect the network's performance. Over the Internet, it is less of an issue because the scanning will be limited by the size of the connections in between; however, you could still degrade the performance of a busy Web server or mail server. In extreme cases, you might even take machines down.

When using these tools in any fashion, always make sure you have the permission of the owner of the hosts you are scanning. The legality of port scanning is a gray area (you are not actually breaking in, just performing network interrogation). However, your boss might not care about the fine points if you take the corporate network down. And before you decide to go out and scan a few of your favorite Web sites just for fun, keep in mind that your ISP may have something in your Internet terms of service contract prohibiting this kind of activity. Web site operators routinely file abuse complaints against the ISPs of repeat offenders. So unless you want to get fired or have your ISP connection terminated, get written permission from either your superior (when doing it for a company) or your client/volunteer (if doing against a third party). Appendix D has a standard letter agreement for getting permission from an intended scan target that is a good starting point to cover your bases legally.

Even when you have permission, you should consider what the effect of scanning will be on the target network. If it's a heavily used network, you should do your scans at night or during low usage periods. Some scanners have the ability to throttle back the rate they throw packets onto the network so that it doesn't affect the network as much. This will mean your scan will take longer but will be much more network friendly.

Certain devices, such as firewalls and some routers, are now smart enough to recognize port scans for what they are. Iptables can be configured to do this using the multiport option and setting the priority flag. The machines can respond to port scans by slowing down the rate of response for each successive poll. Eventually your scan could spool out into forever. Sometimes you can trick the machine on the other end by randomizing the order the ports are scanned or by stretching out your ping rate. Some devices will fall for this, but others won't. You just have to experiment to find out what works.

    Previous Section  < Day Day Up >  Next Section