How do we determine if a host is alive?

One important aspect of any network scanning process is to ensure that its desired assets are first of all active before performing any further actions such as port scanning or vulnerability assessment.
Written by Robert Tanase
Updated 2 years ago

This is why we have implemented the option to check if the host is alive before scanning.

As scanning every port of every single device from a network is a time-consuming process, there is no need to perform it on hosts that are down. The solution is to perform a separate check before the port scanning process begins on each target to filter only the hosts that have possible chances to have any open ports.

The check-alive mechanism offered by the platform is performed by using a customized version of Nmap's host discovery functionality. The mechanism works by sending different types of packets called probes. The goal of these probes is to solicit responses which demonstrate that an IP address is actually active (is being used by a host or network device).

The types of probes and techniques used are:

    • ICMP echo request - sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts. Unfortunately, many hosts and firewalls now block these packets. For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators monitoring an internal network, they can be a practical and efficient approach. 
    • ICMP timestamp - sends an ICMP ping query that expects an ICMP reply code 14 - it is valuable when administrators specifically block echo request packets.
    • TCP SYN Ping - sends an empty TCP packet with the SYN flag set on the following ports: 22, 80, 113, 443, 1723, 3389, 8080.
    • TCP ACK Ping - similar to the one above, but it sends packets with ACK flags set expecting an RST packet. The probes are run on ports 21, 22, 23, 25, 110.
    • UDP Ping - which sends a UDP packet to ports 53, 113, 161, 40125 and works by expecting an ICMP port unreachable reply when the probe hits a closed port that will signify the target is alive. Many other types of ICMP errors, such as “Host/network unreachable” or “TTL exceeded” are indicative of a down or unreachable host. The primary advantage of this scan type is that it bypasses firewalls and filters that only screen TCP.
    • Spoofed source port number technique on port 53 - is useful to bypass poorly configured firewalls that permit traffic based on the source port (for example port 53 is used by DNS and many administrators have fallen into the trap of simply allowing incoming traffic from those ports, noting that it is the port the DNS replies come instead of using more secure solutions such as application-level proxies or protocol-parsing firewall modules).

    All of the above checks will be performed whenever you enable the "Check if host is alive before scanning" options for TCP / UDP Port Scanner and Network Scanner or when enabling the "Include only alive targets" options when adding new targets.

    If the check alive phase returned that the host is alive, but your scans return the warning "No open ports" you can follow the recommendations in the scan result, or read more about it in this dedicated article.
    Did this answer your question?