Get a Demo
Under Attack?
A flowchart with a red central node branching into dotted lines leading to blue nodes, labeled with numbers 80, 53, 23, and 20, each representing various internet protocols. The Upwind logo is in the top left corner.

Detect Malicious Port Sweep Activities

<br />
<b>Warning</b>:  Undefined variable $photo in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
<br />
<b>Warning</b>:  Trying to access array offset on value of type null in <b>/nas/content/live/landing173/wp-content/themes/bricks/includes/elements/code.php(236) : eval()'d code</b> on line <b>33</b><br />
Joshua Burgin May 03, 2024

Detect Malicious Port Sweep Activities

We are excited to announce support for a new detection type – the identification of malicious port sweeps.

Port sweeps can occur when compromised hosts or containers within your environment probe a port on a large number of publicly routable IP addresses or a large number of internal IP addresses. This type of activity is typically used to find vulnerable hosts or services to exploit.

Port sweeps are conceptually related to port scans, with port sweeps looking for a specific port or ports across multiple hosts, and port scans enumerating any ports to be found on one or more hosts. Sometimes attackers will use a port sweep to narrow down their attack surface, and follow with a port scan, targeted at finding a vulnerable service.

TCP Ports

TCP ports number from 0 to 65535, with the standard ports occupying numbers 0 to 1023. Discovering that a standard port is “open” can indicate either an already infected port, or one that is vulnerable to attack. 

Commonly used ports include:

  • Port 20 (UDP): File Transfer Protocol (FTP) for data transfer
  • Port 22 (TCP): Secure Shell (SSH) protocol for secure logins, FTP, and port forwarding
  • Port 23 (TCP): Telnet protocol for unencrypted text commutations
  • Port 53 (UDP): Domain Name System (DNS) translates names of all computers on internet-to-IP addresses
  • Port 80 (TCP): World Wide Web HTTP

Indicators of Compromise

Potentially malicious port sweeps are detected through their suspicious access patterns – including repeated attempts to connect to a port with a large number of publicly routable IP addresses over a short period of time, or using a large number of internal IP addresses to connect to a port or ports over a short period of time. A port sweep attack aims to locate open ports to discover which services the machine is running and to identify its operating system, to inform which vulnerabilities to exploit.

Screenshot-2024-05-01-at-6.41.32%E2%80%AFPM-1024x552

Internally-based port sweeps are similar to port scan attacks, but rather than leveraging an external application to scan for vulnerable hosts through repeated port scans, internal port sweeps use compromised internal resources to perform port sweeps, with the same goal of identifying vulnerable hosts.

A port sweep can provide useful information about a network environment, including: 

  • Existing network defenses, such as firewalls
  • Running applications
  • Machines that are online
  • Information about the targeted system
  • Information about vulnerable networks and servers
Screenshot-2024-05-01-at-6.40.54%E2%80%AFPM-1024x425

Attackers can then use this information to conduct an attack on a virtual machine or container.

Upwind leverages runtime data and machine learning to rapidly identify unusual port sweeps and immediately alert you to suspicious activity. Read more about port sweep detections in the Upwind Documentation Center (login required).

401 Authorization Required

401 Authorization Required


nginx
Contents

Further Reading

Superhuman AI

Security AI Needs an Honest Scoreboard: What It’s Superhuman At, and Where It Comes Up Short

If you follow AI at all, you know the leaderboards. Every few weeks a model takes the top spot, and we all check where our favorite landed. But a leaderboard only tells you who's ahead, and it stays quiet about where any of those models still come up short. Which, conveniently, is the part that…
Focus Mode

Find What Matters with Upwind Focus Mode

Focus Mode is now available in the Upwind platform, giving security teams a faster, more focused way to work. Instead of navigating across the platform, you can switch to Focus Mode to slice and dice the Upwind platform by Vulnerability Management, Cloud Security Posture, Attack Surface Management, Administration, or Threats, and starting next week, AI…
Early Advisories

Introducing Early Advisories: Turn Emerging Threats into Action

We’re excited to introduce Early Advisories as part of the Upwind platform. Powered by Upwind's security research team, Early Advisories notify customers about emerging threats, including zero-days and supply chain attacks, before they receive a CVE identifier. Early Advisories are published directly into the Vulnerabilities module alongside CVE-based findings and automatically correlated with your live…