Network reconnaissance: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Howard C. Berkowitz
No edit summary
mNo edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 2: Line 2:
'''Network reconnaissance''' is a term for testing for potential vulnerabilities in a computer network. This may be a legitimate activity by the network owner/operator, seeking to protect it or to enforce its acceptable use policy. It also may be a precursor to external attacks on the network.
'''Network reconnaissance''' is a term for testing for potential vulnerabilities in a computer network. This may be a legitimate activity by the network owner/operator, seeking to protect it or to enforce its acceptable use policy. It also may be a precursor to external attacks on the network.


Certain apparent reconnaissance activities, which would be highly suspicious if coming from outside the network, may be perfectly normal network performance and reliability monitoring when performed inside the boundaries of the network. Some network intrustion detection systems have difficulty in determining if a reconnaissance activity is internal or external, and generate many false alarms causing fear, uncertainty and doubt.  
Certain apparent reconnaissance activities, which would be highly suspicious if coming from outside the network, may be perfectly normal network performance and reliability monitoring when performed inside the boundaries of the network. Some [[network intrusion detection system]]s have difficulty in determining if a reconnaissance activity is internal or external, and generate many false alarms causing [[fear, uncertainty and doubt]].  
==Address sweeps==
==Address sweeps==
Sometimes called [[ping]] sweeps, an [[address sweep]] principally is intended to discover whether specific [[Internet Protocol]] addresses in the network are associated with active computers. As a legitimate network management technique, this can be part of [[network discovery]]. To monitor the use of address space allocations, the [[address registry|address registries]] that allocate the addresses may scan organizations to see if they are using all their space, a scarce resource with [[Internet Protocol version 4]].
Sometimes called [[ping]] sweeps, an [[address sweep]] principally is intended to discover whether specific [[Internet Protocol]] addresses in the network are associated with active computers. As a legitimate network management technique, this can be part of [[network discovery]]. To monitor the use of address space allocations, the address registries]] that allocate the addresses may scan organizations to see if they are using all their space, a scarce resource with [[Internet Protocol version 4]].


Organizations accessible from the public [[Internet]] have assigned blocks of addresses, the ranges of which are available in address registries. The way in which the blocks are subdivided, and whether specific addresses are active, is not public information.
Organizations accessible from the public [[Internet]] have assigned blocks of addresses, the ranges of which are available in address registries. The way in which the blocks are subdivided, and whether specific addresses are active, is not public information.  


In practice, an existing network may not have been well documented, and a new network administrator may need to do network discovery just to document the subdivisions (i.e., "subnetting") and the existence of computers.
In practice, an existing network may not have been well documented, and a new network administrator may need to do network discovery just to document the subdivisions (i.e., "subnetting") and the existence of computers.
Line 12: Line 12:
[[Port scanning]] actually covers a wide range of activities involving sending a stimulus to the [[Transmission Control Protocol]] (TCP) or [[User Datagram Protocol]] (UDP) identifiers of specific services on specific computers. If an address sweep is analogous to checking if a building exists at a given street address, a port scan is closer to testing the doors to see if they are locked, or at least to see if specific apartments or rooms exist.
[[Port scanning]] actually covers a wide range of activities involving sending a stimulus to the [[Transmission Control Protocol]] (TCP) or [[User Datagram Protocol]] (UDP) identifiers of specific services on specific computers. If an address sweep is analogous to checking if a building exists at a given street address, a port scan is closer to testing the doors to see if they are locked, or at least to see if specific apartments or rooms exist.


There is no single mechanism for port scanning, as different TCP and UDP services respond to different kinds of protocol messages.
There is no single mechanism for port scanning, as different TCP and UDP services respond to different kinds of protocol messages.[[Category:Suggestion Bot Tag]]

Latest revision as of 06:00, 25 September 2024

This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

Network reconnaissance is a term for testing for potential vulnerabilities in a computer network. This may be a legitimate activity by the network owner/operator, seeking to protect it or to enforce its acceptable use policy. It also may be a precursor to external attacks on the network.

Certain apparent reconnaissance activities, which would be highly suspicious if coming from outside the network, may be perfectly normal network performance and reliability monitoring when performed inside the boundaries of the network. Some network intrusion detection systems have difficulty in determining if a reconnaissance activity is internal or external, and generate many false alarms causing fear, uncertainty and doubt.

Address sweeps

Sometimes called ping sweeps, an address sweep principally is intended to discover whether specific Internet Protocol addresses in the network are associated with active computers. As a legitimate network management technique, this can be part of network discovery. To monitor the use of address space allocations, the address registries]] that allocate the addresses may scan organizations to see if they are using all their space, a scarce resource with Internet Protocol version 4.

Organizations accessible from the public Internet have assigned blocks of addresses, the ranges of which are available in address registries. The way in which the blocks are subdivided, and whether specific addresses are active, is not public information.

In practice, an existing network may not have been well documented, and a new network administrator may need to do network discovery just to document the subdivisions (i.e., "subnetting") and the existence of computers.

Port scanning

Port scanning actually covers a wide range of activities involving sending a stimulus to the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) identifiers of specific services on specific computers. If an address sweep is analogous to checking if a building exists at a given street address, a port scan is closer to testing the doors to see if they are locked, or at least to see if specific apartments or rooms exist.

There is no single mechanism for port scanning, as different TCP and UDP services respond to different kinds of protocol messages.