A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets, which are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form.
Computing devices that provide data and resources, such as servers attached to a network, provide this data and these computing resources to clients through the use of network ports associated with the servers. A network port is a logical connection to the server that is associated with a particular source of data or with a particular service provided by the server. For example, port 80 is a well known port for the Transmission Control Protocol (TCP), and is typically used to provide a hypertext transfer protocol (HTTP) connection to a client requesting an HTTP connection with the server. As such, any HTTP connection request initiated between any client and the server will attempt to establish the communications connection using port 80 on the server. Many other well known ports are used to provide similar services, such as domain name resolution (port 43), Simple Mail Transfer Protocol (SMTP) electronic mail transfer (port 25), Post Office Protocol (POP3) electronic mail retrieval service (port 110), and Dynamic Host Configuration Protocol (DHCP) service (port 547), among others. Port numbers may range between 0 and 65536 under the TCP communications protocol, where well known ports associated with standard networking services use ports 0 to 1024.
This use of ports on servers to provide access to data and other resources enables any client attached to a network the ability to determine whether a particular server provides a particular service by simply attempting to establish a session with the server over the corresponding well known port. More specifically, the client transmits a service request to the network address for the server and specifies the particular port of interest. If the server provides the service associated with the specified port, the server establishes a connection between the server and the client. If the server does not provide the service associated with the particular port of interest, the server does not establish the connection. When the connection is not established, the server either may transmit a reset message to the client indicating that the particular port of interest in not open or may not transmit any response at all. If there is an intermediate firewall, the firewall may block messages depending upon configuration setting for the firewall at the particular port of interest.
Consequently, clients may issues service requests to all well known ports of a server to identify all of the services provided by the server. This process is generally referred to as “port scanning.” Unfortunately, port scanning is utilized by some unscrupulous clients to identify servers that are vulnerable to attack through an open port. Because of this use of port scanning, servers may attempt to identify when a port scan is occurring, identify the source, e.g., network address, of the client performing the port scan, and block further scanning if the client is believed to be unscrupulous. Port scanning activities generally fall into two categories of scanning. A first type of port scanning, referred to as a “connect scan-type,” is the easiest to detect and prevent. In the connect scan-type of port scan, a client initiates and ultimately establishes a full connection with the server for each service provided by the server. As a result, the network address for the client is provided to the server, thereby providing the server with the identity of the client performing the scan. Therefore, many well-known procedures for detecting and hindering clients from attacking a server using the connect scan-type port scan.
A second type of port scan, typically referred to as a “half open” scan or a “stealth” scan, may also be used. In a stealth scan, a port scanning client initiates but does not complete the establishment of a connection for each of the services. As with the connect-type port scan, the port scanning client receives a response from the server when an open port is found; however, the port scanning client does not complete the message exchange necessary to fully establish the connection. Because of this fact, the unscrupulous client may transmit a large number of messages initiating establishment of a connection where each of these messages possess a different network address. The server will respond to each of these TCP request messages, but only one such response actually reaches the unscrupulous client. Consequently, the server possesses no information to identify the actual request from the unscrupulous client from all of the other decoy service requests. As such, a server may realize that a stealth port scan is occurring while not being able to identify the client, or its IP address, that is initiating the port scan. The server may be unable to prevent the stealth port scan without rejecting service requests from legitimate clients. As a result, many servers providing data and related services to clients remain vulnerable to potential attack by unscrupulous clients through successful use of a stealth port scan.