NMAP, or Network Mapper, is often utilized by network administrators for network inventory, managing service upgrade schedules and monitoring host or service uptime (Rouse, 2021, TechTarget). However, it can also be used for less righteous purposes and if you happen to identify an unauthorised NMAP scan, it could be an indication of a preliminary step in a potential cyber attack. Therefore, spotting an NMAP scan on your server is crucial and there are several ways to do so.

Firstly, one can recognize an NMAP scan by looking at packet anomalies. NMAP uses multiple scanning methods, with SYN scan and ping scan being some of the most frequently used (Lyon, 2013, NMAP Network Scanning). These scan methods are known to leave traces of abnormal packets, which can be identified by network administrators.

In a SYN scan, NMAP sends a SYN (synchronization) packet and waits for a response. If the port is open, it will receive a SYN-ACK (synchronization-acknowledgement) packet in return, else it will receive a RST (reset) packet (Lyon, 2009, NMAP Network Scanning). Network administrators can use intrusion detection systems (IDS) to look for these abnormal SYN packets on the network. Snort, for example, is a free and open source network Intrusion detection system (IDS) that has the option to detect NMAP SYN scans (De Vivo et al., 2001, ECCWS 2001 Proceedings).

For a ping scan, NMAP uses an Internet Control Message Protocol (ICMP) ping to determine if a host is running (Lyon, 2009, NMAP Network Scanning). Network administrators can configure firewall rules to alert when multiple ICMP requests are received from the same source, which is a red flag of port scanning.

Another way to detect NMAP scans is by looking for a high number of closed ports from the same source. NMAP works by scanning multiple ports on a network to discover which ones are open and exploitable (Rouse, 2021, TechTarget). An IDS, like Snort, can be configured to alert when multiple closed ports are hit by the same source.

It’s also worth paying attention to the timing of incoming requests. Most NMAP scans are slow and may span over an extended time to avoid detection (Kumar, 2014, Systematic Approach to Digital Forensics and Incident Response). Therefore, network administrators should look for slow, continued port requests from the same source.

In conclusion, spotting an NMAP scan isn’t an immediate indication of malicious intent, but it’s always best to be prepared. Therefore, monitoring for signs of NMAP scans is an important component of maintaining a secure network.

References:

- Lyon, G. F. (2013). NMAP Network Scanning: The Official Nmap Project Guide
- De Vivo, M., De Vivo, G., & Iacoviello, D. (2001). A Statistical Approach to Network Anomaly Detection.
- Rouse, M. (2021). What is Nmap? – Definition from WhatIs.com
- Kumar, D. (2014). Systematic Approach to Digital Forensics and Incident Response. International Journal of Computer Science and Information Technology.

DinoGeek offers simple articles on complex technologies

Would you like to be quoted in this article? It's very simple, contact us at dino@eiki.fr

CSS | NodeJS | DNS | DMARC | MAPI | NNTP | htaccess | PHP | HTTPS | Drupal | WEB3 | LLM | Wordpress | TLD | Domain name | IMAP | TCP | NFT | MariaDB | FTP | Zigbee | NMAP | SNMP | SEO | E-Mail | LXC | HTTP | MangoDB | SFTP | RAG | SSH | HTML | ChatGPT API | OSPF | JavaScript | Docker | OpenVZ | ChatGPT | VPS | ZIMBRA | SPF | UDP | Joomla | IPV6 | BGP | Django | Reactjs | DKIM | VMWare | RSYNC | Python | TFTP | Webdav | FAAS | Apache | IPV4 | LDAP | POP3 | SMTP