Yes, Network Mapper (NMAP) can be potentially detected and blocked by various measures. Due to its nature, when NMAP scans for open ports or runs other network-related tasks, it sends huge quantities of packets to the targeted system. System administrators use various security techniques, software, and hardware to detect these abnormal traffic patterns, thereby detecting the presence of NMAP (or similar network enumeration tools), and further designing the appropriate actions including blocking them.
One method to detect NMAP is by analyzing the network traffic. While running, NMAP creates unique patterns by sending numerous request packets to multiple IP addresses. Tools like intrusion detection and prevention systems (IDPS) are capable of recognizing these patterns and alerting system administrators. An example of these tools is Snort, a robust and widely used IDPS. Moreover, certain hardware devices (like firewalls) also have built-in network traffic monitoring functionality for this purpose (“Intrusion Detection FAQ: What is the difference between a Host Intrusion Detection System (HIDS) and a Network Intrusion Detection System (NIDS)?”, Cisco Systems, 2005).
Firewalls can also be used to detect and block NMAP, as they monitor the incoming and outgoing network traffic. By setting specific rules, administrators can restrict or block completely the acceptance of ICMP requests or TCP/IP connections from certain IP addresses. Some firewalls can even identify the SYN Stealth scan, one of the most popular scans that NMAP uses (“Defeating TCP/IP Stack Fingerprinting,” Sans Institute, 2002).
Many detection methods use the concept of “honeypots”. A honeypot is a computer system intended to mimic likely targets of cyberattacks. If an NMAP scan is directed at the honeypot, the system can detect and alert the administrators about the possible incoming threat (Spitzner, Lance, “Honeypots: Catching the Insider Threat,” 2003).
In addition, some networks utilize an active response system that can block or limit the interaction with the detected IP address that is conducting the scan. An example of an active response system is Fail2Ban. While this is utilized mostly for SSH connections, the principle remains the same for detecting NMAP scans (“Fail2Ban,” Fail2Ban, 2019).
Consequently, while NMAP is a powerful tool used by system administrators and cyber analysts to map out network environments and detect vulnerabilities, it also has the potential to be used with malicious intent. Therefore, administrators and security staff employ the mentioned techniques to detect its use and potentially block it to ensure the security of their systems.
References:
1. Cisco Systems (2005). Intrusion Detection FAQ: What is the difference between a Host Intrusion Detection System (HIDS) and a Network Intrusion Detection System (NIDS)? Retrieved from https://www.cisco.com/c/en/us/support/docs/security-vpn/intrusion-detection-systems-ids/44816-hidsnids.html
1. Sans Institute (2002). Defeating TCP/IP Stack Fingerprinting. Retrieved from https://www.sans.org/reading-room/whitepapers/detection/defeating-tcpip-stack-fingerprinting-482
1. Spitzner, Lance (2003). Honeypots: Catching the Insider Threat. Retrieved from http://staff\_washington.edu/dittrich/misc/spitzner.20030108.bbhoney.pdf
1. Fail2Ban (2019). Fail2Ban. Retrieved from http://www.fail2ban.org/wiki/index.php/Main\_Page
