Network and port scan conditions

Network and port scan conditions

Nexthink considers a set of connections to be a network or port scan when the following conditions are met:

  • A single process is starting all the connections.
  • Each connection in the set is separated from the previous connection by less than 90 seconds; that is, one minute and a half.
  • The set of connections contains at least 50 connections.
  • The set of connections only contains failed connections.

The reason to include the last condition is that a scan operation does not usually complete the vast majority of its connection attempts. Since a scan blindly tests every port or destination, most of the connections are rejected. The way to express this last condition depends on the transport protocol of the connection. In the case of TCP, the status of the connection directly shows whether the connection failed or not. In the case of UDP, however, there is no clear status of the connection. Therefore, Nexthink suspects a UDP scan when many small UDP packets are sent in a short period of time:

TCP
All connections in the set are unsuccessful.
UDP
The size of each packet sent is less than 10 KB.
The total duration of the whole scan is less than 15 minutes.


To summarize, this is the list of all the types of network and port scan that you can find:

TCP network scan
A process launches a burst of unsuccessful TCP connections to the same port of at least 50 destinations.
UDP network scan
A process sends a burst of small UDP datagrams to the same port of at least 50 destinations within 15 minutes.
TCP port scan
A process launches a burst of unsuccessful TCP connections to at least 50 ports on the same destination.
UDP port scan
A process sends a burst of small UDP datagrams to at least 50 ports on the same destination within 15 minutes.
Related concepts