September 19, 2022

Detecting Network Scans using NetFlow

Scanning the network leaves a clear network traffic footprint. A footprint that is easy to spot by analysing NetFlow. Sounds intresting?

Piotr Kałuża

Solution Architect

Every well-prepared attack begins with the recognition of the victim. Whether it is a social engineering attack or a network attack, the reconnaissance phase is crucial in order to get to know the victim's weaknesses and select the appropriate tools.

One of the most important stages of network reconnaissance is to scan the network for working devices, running services and existing vulnerabilities.

Fortunately, scanning the network leaves a clear network traffic footprint. A footprint that is easy to spot by analysing NetFlow. When scanning the network, a very large number of connections fail. The implication is that few networks use all IP addresses within the available subnet. On the other hand, even if there is a host running at an IP address, it does not mean that all the services the attacker wants to detect are running on it. This is because many automatic scanners check the most popular services for both Linux and Microsoft Windows in a single scan.

Horizontal and vertical network scanning

Let's look at the two most popular network scanning events, Horizontal scan and Vertical scan.

Horizontal scanning is a very broad recognition of the devices operating in the network. In this case, the attacker's device tries to establish connections to all hosts on the network. A lot of IP addresses are usually scanned, but only one or a few ports are scanned for each one. Any response to a sent request means that the scanned host is operational.

Vertical scanning works slightly differently. After initially establishing that a host is running, the attacker attempts to identify what services are running there and what versions they are in (known as Fingerprints). In this case, multiple requests are sent to a single IP address on different ports. Depending on the tool or scanning mechanism selected, it is possible to scan the 100 most popular ports, ports from 1-1024 or all ports from 1-65535.

Why is using NetFlow data a good way to detect network scanning?

NetFlow makes it possible to monitor the flow of data on the network. Its huge advantage is the transmission of information about every communication that occurred, whether it was an exchange of large amounts of data or the exchange of individual packets between parties. NetFlow records each flow direction separately and therefore also leaves a trail of unidirectional transmissions or, as in the case of network scanning, of failed connection attempts.

How does Sycope detect network scanning?

Sycope Security is a set of multiple rules used to detect volumetric and quality anomalies in network traffic. Among the nearly 60 detection methods are methods for detecting horizontal and vertical network scans. The idea behind them is to calculate the number of unique address and port pairs and the number of sessions established.

In the case of horizon scanning, the mechanism detects connections or connection attempts originating from a single IP address that are established with many different devices.

Horizontal scan

For vertical scanning, connections or connection attempts between a pair of IP addresses are detected. An alarm is triggered if such connections are established on a large number of ports, more than is the case with normal communication.

Vertical scan

The use of all these parameters and assigning them appropriate values in the detection methods means that for correct network traffic, where the Client establishes valid sessions and exchanges a given alert, the alert will not be triggered.  On the other hand, if the communication contains patterns indicative of a deviation from the standards, in such a situation the system will trigger an alert and inform the administrator of the event itself and its details.

Alert table

Importantly, the system administrator hasthe option of adapting the thresholds to his/her own network and requirements,as the parameters of the rule may differ from the default values, if only dueto the size of the network.


The way NetFlow works ensures that information about any traffic on the network is recorded and transmitted to the collector. In contrast, the correct interpretation of this data and the detection of anomalies is the task of the analysis modules.

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.