What Is Port Scanning?
Port scanning is the process of probing a host's network ports to discover which ones are open, closed, or filtered. It is a fundamental technique used by network administrators to audit their own infrastructure, by security researchers to assess attack surface, and by attackers to identify services they can target. Scan your own public IP with our port scanner to see what services you're exposing.
Common Port Scanning Techniques
| Technique | How It Works | Detectability | Speed |
|---|---|---|---|
| TCP Connect Scan | Completes the full 3-way TCP handshake - Logged by target | High - Appears in connection logs | Slow |
| SYN Scan (half-open) | Sends SYN, waits for SYN-ACK, sends RST without completing handshake | Medium - May not appear in app logs | Fast |
| UDP Scan | Sends UDP packets; closed ports return ICMP unreachable | Low | Very slow |
| FIN / XMAS / NULL Scan | Sends packets with unusual TCP flags to bypass some firewalls | Low | Slow |
| Idle Scan | Uses a third-party "zombie" host as a proxy; hides scanner's IP | Very Low | Very slow |
| Version Detection (-sV) | Probes open ports to identify service version and OS | High | Slow |
Well-Known Port Numbers
| Port | Protocol | Service |
|---|---|---|
| 21 | TCP | FTP - File Transfer Protocol |
| 22 | TCP | SSH - Secure Shell |
| 25 | TCP | SMTP - Outbound email |
| 53 | TCP/UDP | DNS - Domain Name System |
| 80 | TCP | HTTP - Web traffic |
| 443 | TCP | HTTPS - Encrypted web traffic |
| 3389 | TCP | RDP - Windows Remote Desktop |
| 5900 | TCP | VNC - Remote desktop |
| 8080 | TCP | HTTP alternate / proxy |
Protecting Against Unauthorized Port Scans
- Keep a firewall in front of your public IP that defaults to dropping all unsolicited inbound connections.
- Close or disable services you don't actively use - Every open port is a potential attack surface.
- Move SSH from port 22 to a high non-standard port - This won't stop a determined attacker but eliminates nearly all automated scanning noise.
- Use an IDS/IPS (Intrusion Detection/Prevention System) like Fail2Ban or Snort to detect and block scanning behavior.
- Regularly scan your own network with our port scanner or nmap to audit what is actually exposed. Also check for blacklist listings that indicate your IP has been flagged for suspicious activity.
Open, Closed, Filtered: Reading Scan Results
A scan classifies each port into one of three states, and the differences matter more than beginners expect.
| State | What the Target Sent Back | What It Means |
|---|---|---|
| Open | SYN-ACK (TCP) or a valid response (UDP) | A service is listening and reachable - This is attack surface |
| Closed | RST packet | The host is alive but nothing listens there - Reachable yet harmless |
| Filtered | Nothing, or an ICMP prohibition | A firewall dropped the probe - The scanner cannot tell what is behind it |
Why "filtered everywhere" is the goal
A host whose unused ports show closed is politely telling the internet it exists and exactly where nothing is running - Useful mapping data for an attacker. A host that drops unsolicited probes shows filtered on every port and gives away nothing, which is why default-drop is the standard firewall posture for anything internet-facing.
How to audit yourself, step by step
- Step 1: Find your public IP on the homepage, then run the port scanner against it from outside your network.
- Step 2: For each open port, identify the service - Your router's port-forwarding table and UPnP lease list are the usual sources.
- Step 3: Close anything you cannot name: delete the forwarding rule, disable UPnP entries you did not create, or stop the service.
- Step 4: For ports that must stay open, ensure the service behind them is current and authenticated - Exposure plus an outdated daemon is the actual breach recipe.
- Step 5: Re-scan after router firmware updates and new device installs; smart-home gear is notorious for quietly opening ports via UPnP.
Is Port Scanning Legal?
Scanning your own systems is unambiguously fine, and security researchers and internet-wide measurement projects scan continuously. Scanning systems you do not own occupies a grey zone: in most jurisdictions an unauthorised scan alone is rarely prosecuted - It sends ordinary packets and accesses nothing - But it can violate ISP terms of service, trigger abuse reports against your IP, and in some countries falls under computer-misuse statutes when paired with intent. The practical rules: scan only what you own or have written permission to test, and expect that anything you expose publicly is being scanned by strangers many times per day regardless.
What This Means for You
Being port-scanned is the internet's background weather, not a targeted attack - Your firewall logs will show probes within minutes of any address going online. The correct response is not alarm but hygiene: know your own open ports before strangers do, keep the count as close to zero as your needs allow, and treat every port you must open as a maintenance commitment. For a home user the most common surprises are remote-desktop and NAS ports forwarded years ago and forgotten - Exactly the services that automated scanners harvest at scale.
Frequently Asked Questions
Does being port scanned mean I am being hacked?
No. Scanning is reconnaissance, and most of it is untargeted - Automated crawlers sweep the entire IPv4 space continuously. It becomes a problem only if a scan finds an exposed, vulnerable service. If your unused ports are filtered and your open ones run patched software, scans are noise.
Can a port scan be traced back to the scanner?
Usually yes - TCP scans must reveal a real return address to receive responses, and your firewall logs it. Attackers therefore scan through compromised machines, proxies, or idle hosts. That is also why retaliating against a scanning IP is pointless: it is rarely the attacker's own machine.
Which ports should never be open to the internet?
As a rule: database ports (3306, 5432, 27017, 6379), Windows networking (135-139, 445), and remote desktop (3389) should never face the public internet - They are the most attacked services. Remote access should go through a VPN or at minimum key-authenticated SSH, not raw exposure.