← Lessons

quiz vs the machine

Platinum1720

Networking

Port Scanning Detection

Spotting an attacker mapping your open services.

5 min read · advanced · beat Platinum to climb

Mapping The Attack Surface

Before attacking, an adversary often runs a port scan to learn which services are listening. By probing many ports, they build a map of open doors. Detecting this reconnaissance gives early warning.

What A Scan Looks Like

Scans leave recognizable footprints in traffic.

  • Many connection attempts from one source to many ports on a host suggest a vertical scan.
  • Connection attempts to the same port across many hosts suggest a horizontal sweep.
  • Some scans avoid completing the handshake, such as sending a SYN and never finishing, to stay quieter.

How Detection Works

Defenders watch for these patterns over time.

  • Counting distinct ports or hosts touched by a source within a window flags scanning.
  • Many connections to closed ports, which produce resets, is a strong signal.
  • Intrusion detection systems carry rules tuned for known scan techniques.

Evading And Countering

Attackers try to hide, and defenders adapt.

  • Slow scans spread probes over hours to stay under thresholds.
  • Distributed scans use many sources so no single one looks busy.
  • Defenders respond with longer observation windows, correlation across sources, and sometimes tarpits that deliberately slow a scanner down.

Key idea

Port scanning probes many ports or hosts to map open services, and detection counts unusual spreads of connection attempts, especially to closed ports, while slow and distributed scans push defenders toward longer windows and cross source correlation.

Check yourself

Answer to earn rating on the learn ladder.

1. What pattern suggests a vertical port scan?

2. Why are connection attempts to closed ports a strong scan signal?

3. How do attackers evade simple scan detection?