TCP Sweep: What is causing it?

Running a company as a reseller web host, you'll often receive an email from your upstream provider reporting security violations. If you do not correct the problem promptly, your upstream provider may block inbound and outbound traffic from the affected server.

What is a TCP Sweep?

A TCP sweep, also known as a port scan or port sweep, is a network reconnaissance technique used by attackers to discover open ports on a target system. It involves scanning a range of TCP ports on a target host to identify which ports are actively accepting connections. The purpose of a TCP sweep is to gather information about the services running on the target system and potentially identify vulnerabilities.

Today, we received a security report from Savvis indicating that one of our Windows 2003 servers is sweeping TCP port 445. This obviously violates their "Acceptance Use Policy". Here is the snippet of their log entry.

22:11:55 [IP ADDRESS HIDDEN] 0.0.0.0 [TCP-SWEEP]
(total=24,dp=445,min=32.42.39.128,max=32.42.39.174,Jun01-03:20:30,Jun01-03:20:30) (MOW-Ams01)

TCP sweeping is a scanning of a TCP port, in this case, port 445. Since our client has no idea about TCP sweep, chances are the server is running a malicious code. The machine is compromised, or someone unknowingly installed malicious 3rd-party software. Regardless, the server is running unwanted software which attacks other servers.

The best way to resolve this issue is to rebuild the OS and restore the system to a healthy state. It is a good idea to look at the software installed on the system, determine the root cause of the compromise, and prevent it from happening again.

How does TCP Sweep work?

Here's how a TCP sweep generally works:

1. Port Scanning

The attacker sends TCP connection requests (SYN packets) to a range of TCP ports on the target system. The goal is to identify which ports are open and actively accepting connections.

2. Response Analysis

Based on the responses received, the attacker can determine whether a port is open, closed, or filtered. Common responses include:

• Open Port: The target system responds with a SYN-ACK, indicating that the port is open.
• Closed Port: The target system responds with an RST (reset) or an ICMP Port Unreachable message, indicating that the port is closed.
• Filtered Port: The target system does not respond, suggesting that the port is potentially protected by a firewall.

3. Enumeration

Once open ports are identified, further enumeration may be performed to gather information about the specific services running on those ports, such as version numbers and banner information.

Causes of TCP Sweeps

1. Security Assessment

Security professionals often perform TCP sweeps as part of security assessments to identify potential vulnerabilities in a network. It helps organizations understand their exposure to external threats.

2. Malicious Activity

Attackers use TCP sweeps to identify potential targets for further exploitation. By discovering open ports and services, attackers can focus their efforts on known vulnerabilities associated with those services.

3. Network Troubleshooting

System administrators may use TCP sweeps for legitimate purposes, such as troubleshooting network connectivity issues. It helps in identifying which ports are accessible and can aid in diagnosing network problems.

4. Policy Compliance

Organizations may conduct periodic TCP sweeps to ensure that their networks comply with security policies. This helps in identifying and closing unnecessary or unauthorized open ports.