Outbound Port Sweep

View all detections
Outbound Port Sweep

Triggers

  • An internal host is generating many more unsuccessful attempts to connect to external services than successful ones
  • The threat score is driven by the breadth of IP addresses scanned and the pace at which the scan occurs
  • The certainty score is driven by the failure rate of outbound connection attempts

Possible Root Causes

  • An internal host is part of a botnet and is being used by its bot herder to find other external services that could subsequently be attacked
  • An internal host is misconfigured and is making many connection attempts to different IP addresses on the Internet

Business Impact

  • Botnet activity presents several risks to the organization: (1) it creates noise which may hide more serious issues; (2) there is a chance your organization’s IP will end up on black lists; and (3) the compromised host can always be instructed to perform a direct attack on the organization
  • A misconfigured internal host may be using unnecessary bandwidth and slowing down both the host itself and other applications as a result of the traffic it is sending

Steps to Investigate

  • Look at the pattern of IP addresses being scanned to determine the intent of the scan
  • Verify whether there is misconfigured software on the host which is causing the scan
  • If the behavior cannot be explained by user action or known software behavior, the host is likely infected and should be remediated