Proactive Detection for Countermeasures on Port Scanning based Attacks

Defending a cyber asset from a targeted attack based on port scanning is a challenging task because attackers exploit protocol behavior essential for productive use of applications. For instance, TCP or UDP ports opened for applications such as file transfer or video can be exploited to launch denial of service attacks. There is a need for proactive methods that can detect port scanning based attacks at their initial stage so that countermeasures can be initiated before the attack impact is disruptive on a cyber asset. This paper presents methods to counteract the initial stages of network attacks involving TCP and UDP port scanning. Our methods analyze outgoing traffic to identify ICMP 3.3 and TCP RST response packets that indicate the beginning of an attack launch. We specifically describe two countermeasures based on software-defined networking controller (at the network level) and Linux utility (at the host level) modules we developed. To validate the effectiveness of our proactive detection based methodology, we set up a testbed with a scheme of a polygon and conducted experiments related to distortion of the port status of attacks. Our results demonstrate that our approach is effective and the accuracy of determining open TCP ports did not exceed 15%, and it did not reach 2% for the remaining ports (closed TCP, UDP of any type).