Identifying Scan Ports

TC uses the signaLtype attribute to identify scan ports. Functional ports can be identified as scan ports, by assigning this attribute using the set.signaLtype command. TC creates scan ports automatically if no functional ports are identified with the signaLtype attribute. In the muxed flip-flop scan style, where normal clock is used as test clock, one must not associate a signaLtype attribute, testjclock with the clock port. 

---

The lefthand side of Figure 18 shows the activity due to Slammer on UDP port 1434. The right hand side of Figure 18 shows activity on UDP port 1434 in the hours immediately preceding the outbreak of the worm. Note the differences in scale. The precursor traffic is lost in the baseline of the Slammer Attack. Our analysis focused on hours 6, 7, 8, 13, and 14. We identified three primary sources of the activity, all from sources that were known as adversaries by the analyst. All 3 used a fixed pattern of scanning. We identified four machines that responded to the initial probing. Two of the responders were subsequently compromised. 

In order to identify the classes of vulnerabbities a scanner will operate on a host or over a cluster of computers by scanning services and ports. The above mentioned classes were established by analyzing lists from CVE, OSVDB, NVD, andCWE, to mention only a few vulnerability databases. A valuable project is described in (Schumacher et al. 2000) in order to provide a free and complete access to security related information stored in a high quality vulnerability data base useful for various purposes by data mining techniques. 

---