A ping sweep is a process in which a computer user runs a software utility to see how many computers are online within an IP address range (Wikipedia, 2013). This ping utility is useful when troubleshooting network connectivity when there are known connectivity issues. A system administrator can issue the ping command followed by a single IP address which sends out an ICMP Echo packet. The target computer will either reply back to the ICMP packet to indicate the device is online and accepting ICMP packets. If there is no response, that indicates either the target computer is either offline or there is a firewall blocking ICMP packets from being processed.

In larger networks, you can use a utility like fping, gping, or SolarWind’s Ping Sweep to scan a range of computer IP addresses to see which hosts are online or offline (Wikipedia, 2013) (SolarWinds). This process is pertinent within a Network Administration position where the Network or Systems administrator needs to identify which hosts are online to perform routine maintenance or perhaps check the security of the internal network. However, there is a dark side to ping sweeps. Ping sweeps can be used by hackers to identify targets on the internet by utilizing the same software Network or System administrators use for troubleshooting or security purposes.

Ping sweeps are generally the first part of a network access attack. The hacker would implement a ping sweep to see which hosts are currently online and generates a list of those hosts. This phase is considered the first part of a reconnaissance attack which can lead to an access attack or a denial attack. The next part is a Port sweep. A port sweep is the process in which a computer user runs a software utility to see which ports are open on a computer system (Conklin, White, Williams, Davis, & Cothren, 2010). For example, a Network or System administrator would use to audit the security on their computers and network would be Nmap. Nmap is a tool that is free and open source. It can determine what operating systems, o/s versions, services and dozens of other computer characteristics (Lyon).

By determining which ports are open, the user can tell which services are running. For a Network or Systems administrator, this data is valuable for security purposes. By knowing which ports are open or closed, they can determine if there are any vulnerabilities such as back doors, known exploits for a particular service or if there are any unnecessary software running that could be causing a potential security risk.  For a hacker, knowing which ports are open can lead to further investigation such as what services a particular host is running, what operating system is on the host, and potentially and kind of back door that could be open for them to exploit (Conklin, White, Williams, Davis, & Cothren, 2010).  This process is the second part of the reconnaissance attack.

The information a hacker can gain by performing a basic reconnaissance attack they can decide what their next attack will be. Those attacks can be an Access attack or a denial Attack. An access attack is where the hacker attempts to gain access to the network or systems through exploits, brute force or other hacks. The denial attack is where the hacker will pool as many resources to shut down the service or resources that are being served by the target host. The most common type of denial attack would be a denial of service or distributed denial of service attack where many computers or hosts try to access single host service resources like a website or server. When too many connections are made, the host becomes overloaded and it could take down the resource for a period of time (Wikipedia, 2014).

Should we be aware of ping sweeps and port scans? The answer is yes. What tools the system administrators can use to ensure the network is running correctly and secure can be used by hackers for nefarious reasons. As long as security protocols are being followed, computer software updates installed, operating system and software patches are installed and a proper firewall is installed the risks of being the target of a ping sweep and port scan by an outside or inside source can be reduced.

Should we worry about a ping sweep or port scan? Yes and no. The reason why there is a yes and no answer is because ping sweeps and port scans happen all of the time on the internet. It is an inherent risk that all computer networks are exposed too. As long as you follow good security practices the risks of being a target of a ping sweep and port scan can be very low. However, if a hacker is determined to gain access they will do everything in their power to do so. But, if we are proactive we can take the necessary steps to prevent any major issues from happening.

The best thing we can do to help reduce the risk of being a target is to ensure that the edge of the network that is connected to the internet blocks ICMP ping packets. This will ensure that whoever is scanning a large amount of IP addresses will pass over our network as it is detecting the host/hosts are not responding to pings or offline. The next step would be to ensure that any externally accessible resources such as web, email, file, database, or other servers are segmented into a DMZ Zone with proper firewall rules to only allow specific services on the appropriate port and block any ports that can be used to gain internal access. In addition to the servers being on a separated network the software installed on the servers should be running latest software updates, patches and have a firewall installed on them to prevent any unauthorized access by either internal or external networks.

The final step would be to insure that all internal hosts are virus free and have firewalls that can block any traffic that shouldn’t be running such as worms, viruses or even botnet zombie software. This last step is crucial as it is good to make sure all internal hosts won’t cause a problem and infect other hosts within the corporate network or outside of the network.  With a basic understanding of what ping sweeps and port scans are, we can help ensure that the network and computer resources aren’t compromised by outside or inside attackers.

Bibliography

Conklin, W. A., White, G., Williams, D., Davis, R., & Cothren, C. (2010). Principles of Computer Security CompTIA Security+ and Beyond 2nd eddition. New York: McGraw Hill.

Lyon, G. (n.d.). Free Security Scanner For Network Exploration & Security Audits. Retrieved from Nmap.org: http://nmap.org/

SolarWinds. (n.d.). Engineer’s Toolset (Ping Sweep). Retrieved from SolarWinds: http://www.solarwinds.com/engineers-toolset/ping-sweep.aspx#gotabs

Wikipedia. (2013, November 10). Ping Sweep. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Ping_sweep

Wikipedia. (2014, July 10). Denial of Service Attack. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Denial-of-service_attack