1. Field of the Invention
The present invention is related generally to a data processing system and in particular to a method and apparatus for data processing system security. More particularly, the present invention is directed to a computer implemented method, apparatus, and computer usable program code for blocking a port scanner using fake source Internet protocol addresses.
2. Description of the Related Art
A user on a computing device, such as a client, connected to a network can execute an application or other service available on a different computing device, such as a server, by connecting to a port on the server associated with the application or service. A port is an endpoint to a logical connection between a client and a server in a network. Ports are typically identified by a port number. Each application available on the server is associated with a different port number.
In other words, a port is like a door or gateway to a particular application on a computer. Like a door, a port may be open or closed. An open port on a server is a port associated with an application that is currently available on the server for use by one or more client computers. A closed port is a port that is not associated with an application or service that is available on the server. A hacker typically cannot access a computer through a closed port.
A computing device can access a particular application on a server by specifying the port number associated with the particular application. However, sometimes unauthorized or malicious users may want to access an application or service on the server for purposes of launching an attack on the server. These users are typically referred to as hackers or computer crackers. The server that is attacked by a hacker may be referred to as an intended victim.
Hackers generally do not know what applications or services are available on the intended victim. Therefore, the hacker may perform a port scan. A port scan is a method for systematically scanning a computer's ports to determine which ports are open ports associated with an available application or service and which ports are closed ports. In port scanning, a series of messages are sent requesting a connection with each well-known port. The response received from the intended victim indicates whether the well-known port is an open port or a closed port. Port scanning is used by hackers to locate open access points to a computer which may be vulnerable to an attack.
Once a vulnerable open port is located, a hacker can launch an attack that may cause the resources of the application associated with the attacked open port unavailable to intended users of the application. This type of attack is sometimes referred to as a denial-of-service (DOS) attack.
One solution to this problem is provided by port scan protection software. Current port scan protection software identifies the source Internet protocol (IP) address in a connection request that may be part of a port scan. The port scan protection software then blocks that source IP address. In other words, the port scan software does not allow any additional messages from that source IP address to be received. This can prevent subsequent attacks by a hacker using the same source IP address.
However, hackers have circumvented current port scan prevention software by using fake source IP addresses during port scans to locate open ports. When the port scan software recognizes that a port scan may be taking place, the port scan prevention software blocks the fake IP address identified in the port scan messages. However, the current port scan prevention software does not block the hacker's actual IP address. Thus, the hacker remains free to launch attacks on any open ports using the hacker's actual IP address, which is not blocked by the port scan protection software. These attacks may lead to denial-of-service (DOS) effects on users attempting to gain legitimate access to applications and/or services provided by the intended victim. In addition, these attacks can lead to loss of time, data, and revenue while the applications and/or services are unavailable.