The Nexthink solution identifies a set of connections as a network or port scan when the following conditions are met:
A single process starts all the connections.
There are 90 seconds or less between each connection.
The set of connections contains at least 50 connections.
The set of connections only contains failed connections.
The reason to include the last condition is that a scan operation does not usually complete the vast majority of its connection attempts. Since a scan tests every port or destination, the system rejects most of the connections. The way to express this last condition depends on the transport protocol of the connection. In the case of TCP, the status of the connection directly shows whether the connection failed or not. In the case of UDP, however, there is no clear status of the connection. Therefore, Nexthink suspects a UDP scan when many small UDP packets are sent in a short period of time:
All connections in the set are unsuccessful.
The size of each packet sent is less than 10 KB.
The total duration of the whole scan is less than 15 minutes.
To summarize, this is the list of all the types of network and port scans that you can find:
TCP network scan
A process launches a burst of unsuccessful TCP connections to the same port of at least 50 destinations.
UDP network scan
A process sends a burst of small UDP datagrams to the same port of at least 50 destinations within 15 minutes.
TCP port scan
A process launches a burst of unsuccessful TCP connections to at least 50 ports on the same destination.
UDP port scan
A process sends a burst of small UDP datagrams to at least 50 ports on the same destination within 15 minutes.