A scanning of ports on network elements may occur for a legitimate activity or an illegitimate activity. For example, a network administrator may perform a legitimate port scan for verifying network inventory and security. However, an attacker may perform an illegitimate port scan to gain access to sensitive network information, and compromise the security of the network and/or the security of computers or servers on the network.
One approach to detect port scans involves setting a fixed threshold on a number of control packets in a given time interval and counting a number of scan packets arrivals. For example, receiving more than 10 scan packets in 5 seconds may be considered a violation of the scan threshold for ports used for User Datagram Protocol (UDP), Transmission Control Protocol (TCP), or Internet Protocol (IP) over Internet Control Message Protocol (ICMP). The violation of the fixed scan threshold for the given time interval may then be used as an indication of a possible illegitimate port scan.
However, over time, an attacker may determine the fixed scan threshold by sending port scans at different intervals. Once the attacker has identified the fixed scan threshold, the attacker may simply perform port scans at a lower rate and avoid detection. The attacker may then proceed to determine active ports, characteristics of the network, and any security vulnerabilities. The attacker may then exploit such knowledge derived from port scans for a future attack, e.g., a denial of service attack.