Batten Down Those Ports
October 28, 2003
By Brett Glass

With worms such as Blaster prowling the Net, every user ought to know the ways a computer may be exposed to attacks. One of the simplest but most vital tests you can do to determine potential vulnerabilities is to find out which ports your PC has open to the outside world.

Computers that speak TCP/IP obtain services from one another via handles known as ports. Many ports are preassigned to specific network services, such as HTTP (port 80) and FTP (port 21); these are called well-known ports. There are two kinds of ports: TCP ports and UDP ports.


TCP ports are used by the Transmission Control Protocol, which allows a server to conduct a conversation, or session, with another machine. When your computer wants to request a page from a Web server, it sends a packet to that machine indicating that it wants to talk to TCP port 80 (the well-known port through which most Web servers deliver pages). The server, seeing that you've asked for port 80, connects your computer to the Web server program, which—of the many programs running on the machine—is the one that specializes in delivering Web pages. The conversation between the machines may be brief or may continue indefinitely.

UDP ports are used by the User Datagram Protocol, which lets machines send short messages to one another. Unlike TCP, UDP does not establish an ongoing conversation; each message stands alone.

If a program on your computer has asked to field requests that come in via a particular port, it is said to be listening on the port. A program that does this is called a daemon in Unix or a service in Windows-speak.

Unfortunately, any program that listens on a port represents a potential liability. If the program isn't equipped to recognize when too many requests come in at once—and reject at least some of them—it may tie up the entire machine trying to service them all. This is one form of denial-of-service (DoS) attack. And if the program has a bug that allows an intruder to overwrite memory (a buffer overflow), it may allow the system to be taken over completely. Also, Trojan horse programs frequently reveal themselves because they listen on specific ports.

In general, the fewer the ports on which your computer is listening, the less likely it is to be susceptible to certain types of attacks. So be sure to shut down as many unused services as possible—especially those involved with Windows file sharing, instant-messaging services, and so forth.

One way to see which ports are open on your machine is to use computer pundit Steve Gibson's utility ShieldsUP!, which you can find at http://grc.com. It provides a graphical representation of all of the ports on your machine, showing which ones appear to be open.

Another way (which may work better if your ISP or company has a firewall) is to open a command window and type netstat -an. In the resulting listing, the ports you care about are the ones on which your computer is listening. If the open ports are listed at www.iana.org/assignments/port-numbers, and you know that your computer is providing the services that normally use those ports, fine. But if not, or if other ports are open, be suspicious. Check lists of ports that Trojan horses use, such as the one at www.robertgraham.com/pubs/firewall-seen.html, to see whether any open ports are associated with malware.

One good way to protect yourself from exploitation is to install a personal firewall program, such as Intuit's Norton Internet Security or Zone Labs' ZoneAlarm Pro. Such programs don't just guard against incoming attacks, they can also be set to alert you whenever a program on your machine tries to connect to another one on the Internet. Most of the time, the attempt will be legitimate, and you can bless the program so that alerts don't recur. But a warning will sometimes betray a rogue program that's gotten loose on your machine. In all cases, blocking all ports except those you need open (and perhaps setting the firewall to require operator approval before they're used) is a prudent security strategy.




PCMag
Copyright (c) 2003 Ziff Davis Media Inc. All Rights Reserved.