Method and apparatus for detecting port scans with fake source address
First Claim
1. A computer implemented method for port scan protection, the computer implemented method comprising:
- responsive to detecting a port scan, generating, by a processor, a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet, wherein the modified reply data packet will elicit a response from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet;
sending the modified reply data packet to a first source internet protocol address associated with the port scan; and
responsive to receiving the response to the modified reply data packet, identifying that a second source internet protocol address in a header of the response is a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer implemented method, apparatus, and computer program product for port scan protection. A reply data packet having a modified transmission control protocol header is generated to form a modified reply data packet, in response to detecting a port scan. The modified reply data packet will elicit a response from a recipient of the modified data packet. The reply data packet is sent to a first Internet protocol address associated with the port scan. A second Internet protocol address is identified from a header of the response to the modified reply data packet. The second Internet protocol address is an actual Internet protocol address of a source of the port scan. All network traffic from the second Internet protocol address may be blocked to prevent an attack on any open ports from the source of the port scan.
236 Citations
35 Claims
-
1. A computer implemented method for port scan protection, the computer implemented method comprising:
-
responsive to detecting a port scan, generating, by a processor, a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet, wherein the modified reply data packet will elicit a response from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet; sending the modified reply data packet to a first source internet protocol address associated with the port scan; and responsive to receiving the response to the modified reply data packet, identifying that a second source internet protocol address in a header of the response is a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer program product for port scan protection, the computer program product comprising:
-
a computer usable storage device including computer usable program code embodied therewith, the computer usable program code comprising; computer usable program code for generating a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet in response to detecting a port scan, wherein the modified reply data packet will elicit a response data packet from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet; computer usable program code for sending the modified reply data packet to a first source internet protocol address associated with the port scan; and computer usable program code for identifying that a second source internet protocol address in a header of the response data packet in response to receiving the response data packet a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. An apparatus comprising:
-
a bus system; a communications system connected to the bus system; a memory connected to the bus system, wherein the memory includes computer usable program code; and a processing unit connected to the bus system, wherein the processing unit executes the computer usable program code to generate a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet in response to detecting a port scan, wherein the modified reply data packet will elicit a response data packet from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet;
send the modified reply data packet to a first source internet protocol address associated with the port scan; and
identify that a second source internet protocol address in a header of the response data packet in response to receiving the response data packet a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
-
-
32. A system for protecting against port scans, the system comprising:
-
a host computer, wherein the host computer comprises; an enhanced port scan protection software for detecting a port scan data packet and generating a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet in response to detecting a port scan, wherein the modified reply data packet will elicit a response data packet from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet, wherein the modified reply data packet is sent to a first source internet protocol address associated with the port scan; and a source Internet protocol address detector, wherein the source Internet protocol address detector identifies that a second source internet protocol address in a header of a response to the modified reply data packet is a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address. - View Dependent Claims (33, 34, 35)
-
Specification