Port Scanning: What It Is and How It Works

Every device connected to the Internet is being scanned right now. Not occasionally. Constantly. Automated scanners probe the entire IPv4 address space in under an hour, checking which services are exposed, which ports respond, which systems might be vulnerable.

Port scanning is network reconnaissance—systematically probing a target's ports to discover what's running and accessible. It's the first thing attackers do when targeting a system, and it's the first thing security professionals do when auditing one. The technique is neutral; the intent determines whether it's an attack or a defense.

What Port Scanning Reveals

When you scan a port, you send packets and analyze what comes back. Each port exists in one of three states:

• Open: A service is listening and accepting connections
• Closed: The port is accessible but nothing is listening
• Filtered: A firewall or security device is blocking the probe

An open port on 443 means a web server is running HTTPS. An open port on 22 means SSH access is available. An open port on 3389 means Remote Desktop is exposed. Each open port is information—and each piece of information shapes what an attacker tries next.

Scans can target a single port, a range, or all 65,535 possible ports. The scope depends on the goal: a quick check of common services, or a comprehensive map of everything exposed.

TCP Connect Scan

The most straightforward technique. The scanner attempts a complete TCP three-way handshake with each port: send SYN, receive SYN-ACK, reply with ACK.

If the handshake completes, the port is open. If the target sends RST (reset), the port is closed. Simple and accurate.

The cost is visibility. Every completed connection appears in the target's logs. System administrators see entries for connections that connected and immediately disconnected. Intrusion detection systems flag the pattern. TCP connect scans are reliable but loud.

This is the default scan type when the scanner lacks raw packet privileges, since it uses the operating system's standard networking functions.

SYN Scan (Half-Open Scan)

The most popular technique because it balances speed, accuracy, and discretion.

A SYN scan sends the initial SYN packet and waits for a response. If the target replies with SYN-ACK, the port is open—but instead of completing the handshake, the scanner immediately sends RST to abort the connection.

No complete connection means many systems don't log it. The scan is faster because it skips the overhead of establishing and properly closing connections. Thousands of ports can be probed in seconds.

The tradeoff: SYN scanning requires raw packet privileges. The scanner needs administrative access to craft custom packets rather than using the operating system's networking stack.

Modern intrusion detection systems have adapted to catch half-open connection patterns, but SYN scans remain harder to detect than full TCP connects.

UDP Scan

UDP scanning is harder because UDP doesn't have a handshake. There's nothing to complete or reject.

The scanner sends a UDP packet and waits. Three things might happen:

1. The service responds with data—the port is open
2. The system responds with ICMP "port unreachable"—the port is closed
3. Silence

Silence is the problem. It could mean the port is open but the service didn't recognize the packet format. It could mean a firewall is filtering the port. It could mean the ICMP response was rate-limited or blocked. The scanner can't tell the difference.

UDP scans are slow. Each unresponsive port requires waiting for a timeout. Rate limiting on ICMP responses slows things further. Scanning all UDP ports on a single host can take hours.

Nmap

Nmap (Network Mapper) is the standard tool. Released in 1997, it's used by penetration testers, system administrators, and attackers alike.

A SYN scan of common ports: nmap -sS 192.168.1.1

UDP scan of DNS and SNMP ports: nmap -sU -p 53,161 192.168.1.1

Beyond port states, Nmap detects service versions (what software is running), fingerprints operating systems, and runs scripts for vulnerability detection. It shows you your network the way an attacker sees it.

Legitimate Uses

Security teams scan their own infrastructure to find exposed services before attackers do. System administrators verify that services are listening on expected ports and that firewall rules work correctly. Compliance audits—PCI DSS, for example—require regular scanning to confirm payment systems aren't exposing unnecessary services.

The principle: scan yourself before someone else does.

How Attackers Use Scanning

Reconnaissance precedes exploitation. Before attempting to break into a system, attackers need to know what's exposed.

The typical pattern: broad scans identify live hosts, then detailed scans map each target's attack surface. An SSH server might be vulnerable to brute-force attacks. An older web server might have known exploits. An exposed database port suggests misconfiguration.

Sophisticated attackers scan slowly, spreading probes over hours or days across multiple source addresses. They use techniques like packet fragmentation and decoy hosts to evade detection. The goal is mapping the target without triggering alerts.

Detection and Defense

Intrusion detection systems watch for scan signatures: sequential port probes, floods of connections from single sources, half-open TCP connections, unusual flag combinations.

SIEM platforms aggregate logs across systems to catch distributed scans that no single host would notice—a slow scan touching every server in your network over several days.

Defensive layers:

• Network segmentation limits what external scanners can reach
• Firewall rules close ports that don't need public access
• Rate limiting slows aggressive scans and triggers alerts
• Port knocking keeps services hidden until a specific connection sequence unlocks them
• Honeypots—decoy systems with no legitimate purpose—provide high-confidence detection when they receive any traffic at all

The most important defense is knowing your own attack surface. Regular authorized scanning reveals what you're exposing. Close unnecessary ports. Fix misconfigurations. See yourself the way attackers see you.