What is port scanning and how to detect it?

Short answer

Port scanning probes a target host to discover which ports are open and what services are running. It is a common reconnaissance technique used by both attackers and security auditors.

How it works

Scanners like Nmap send packets to a range of ports and analyze responses. Open ports reply with SYN-ACK. Closed ports reply with RST. Filtered ports return no response or ICMP errors.

Techniques include TCP connect scans, SYN stealth scans, UDP scans, and version detection banners.

Example

An attacker scans a public IP range for port 3389. Finding an open port, they attempt brute-force credentials against the exposed Remote Desktop service.

Why it matters

Port scanning is often the first step before exploitation. Detecting scans early provides warning of impending attacks and allows administrators to remove unnecessary exposures before they are exploited.