Ping Sweeps and Port Scans:
Should we worry?
Ping Sweeps and Port Scans are the two most common network probes that serve as important clues in sensing invasion or intrusion that can harm a network. Network probes are not actual intrusions, although, they could be potential causes of actual intrusions. Port scans and ping sweeps can lead to an intrusion of companies network system, however, with today’s technological advancements, these activities can be detected and prevented.
Ping Sweeps; Ping sweeps are a set of ICMP Echo packets that are sent out to network of computers, actually a range of IP addresses, to see if there are any responses. As an intruder sends out the ping sweeps, he looks for responses so he can figure out which machines he can attack. “Note that there are legitimate reasons for performing ping sweeps on a network—a network administrator may be trying to find out which machines are alive on a network for diagnostic reasons. Ping sweeps are detectable using special tools as well. ippl is an IP protocol logger that can log TCP, UDP and ICMP packets. It is similar to scanlogd, where it sits in the background and listens for packets. Be careful when using ippl though—if you 're on a busy Ethernet network, you might find that your ippl log files (usually at /var/log/ippl/*) may fill up rather quickly (Teo, 2000).”
Port Scans; Even though ping sweeps are common, port scans are probably the most common probes and relatively simple to perform. A very simple port scan can be programmed in a few minutes. However, this method can easily be detected and therefore is not used much. “Another sneakier, “stealthier” kind of port scan is called the “half-open” SYN scan. In this scan, the port scanner connects to the port but shuts down the connection right before a full connection occurs (hence the name “half-open”). Since a full connection never happened, the operating system of the target machine usually
References: Teo, L. (2000). Network Probes Explained: Understanding Port Scans and Ping Sweeps. Retrieved on March 10,2011 from: http://www.linuxjournal.com/article/4234?page=0,1