• An internal host has attempted contact with a large number of internal IP addresses on a small number of ports

Possible Root Causes

  • An infected internal system that is part of a targeted attack is contacting a large number of internal IP addresses on a small number of ports to find systems which are running particular software that may be vulnerable to an attack
  • An IT-run vulnerability scanner or asset discovery system is mapping out system services in your network
  • A host with an unusual discovery mechanism is looking for a service on its local subnet
  • Alarm equipment or IP cameras are performing large-scale scans due to misconfiguration or firmware bugs

Business Impact

  • Reconnaissance of your systems may represent the beginning of a targeted attack in your network
  • Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior using triage filters

Steps to Verify

  1. Check to see if the detected host is authorized to perform port sweeps
  2. Look at the pattern of ports being scanned to determine the intent of the scan
  3. If the pattern appears random and distributed over time, it is likely some form of reconnaissance and should be dealt with before the attack progresses further