How to Stop Port Scanning: Eliminate the Attack Surface Entirely
Port scanning is the first step in every attack. Firewalls and IDS can detect scans but can't prevent discovery. Network hiding makes port scanning find nothing.
Port scanning is the first step in nearly every cyberattack. Before an attacker can exploit a vulnerability, brute-force a login, or deploy ransomware, they need to find your infrastructure. Port scanning tools like Nmap, Masscan, and ZMap — and internet-wide scanners like Shodan and Censys — do this continuously, indexing billions of endpoints.
The standard defense against port scanning is detection: IDS/IPS systems alert when they see scan patterns, firewalls can rate-limit probes, and security teams investigate suspicious activity. But detection doesn't prevent discovery. By the time an alert fires, the attacker already knows what's running on your network.
What if port scanning found nothing at all?
Why Traditional Defenses Don't Work
Firewalls filter traffic to specific ports, but filtered ports still reveal information. A "connection refused" response tells the scanner a host exists. A "filtered" response tells the scanner a firewall is present. Both are information an attacker can use.
IDS/IPS detects scan patterns and can block scanning IPs. But sophisticated scanners use distributed, low-and-slow techniques that evade signature-based detection. And Shodan scans the entire internet continuously — your infrastructure is indexed whether you detect the scan or not.
Rate limiting slows down scanners but doesn't prevent discovery. A patient attacker (or an automated tool with time) will eventually map your infrastructure.
Honeypots and deception can mislead attackers, but they add complexity and still require the real infrastructure to exist somewhere.
All of these approaches share a fundamental limitation: they operate on infrastructure that has network presence. As long as your servers respond to any traffic (even with "access denied"), they're discoverable.
The Network Hiding Approach
Network hiding makes port scanning irrelevant by eliminating network presence entirely. Protected resources don't respond to any unauthorized traffic — not with "connection refused," not with "filtered," not with anything. The resource appears non-existent.
Here's what Nmap sees when scanning a network-hidden resource:
$ nmap -sS -sV -p- target.example.com
Starting Nmap 7.94
Note: Host seems down. If it is really up, but blocking our ping probes,
try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.03 seconds
$ nmap -Pn -sS -sV -p- target.example.com
All 65535 scanned ports on target.example.com are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 1327.40 seconds
No ports found. No services identified. No version fingerprints. No information for the attacker to act on. The full 65,535-port scan returns nothing.
This isn't the same as firewall filtering. Filtered ports return ICMP "unreachable" responses or simply timeout — both are detectable. Network-hidden resources produce zero response of any kind. To the scanner, the host doesn't exist.
How It Works
Network hiding uses Single Packet Authorization (SPA) to gate all network visibility behind cryptographic authentication:
- Default state: All ports closed. No services listening. No ICMP responses. Zero network presence.
- Authentication: An authorized user sends a cryptographic SPA packet proving their identity.
- Temporary access: The specific resource becomes visible only to that user, only for that session.
- Reversion: When the session ends, the resource returns to zero network presence.
The key is that the SPA listener itself is invisible. It doesn't respond to invalid packets. An attacker probing the SPA port gets the same response as probing any other port: nothing.
What This Means for Your Infrastructure
The resources most vulnerable to port scanning are the ones most valuable to attackers:
- Admin panels (Grafana, Jenkins, Kibana) — a login page tells attackers exactly what software you're running
- Database ports (3306, 5432, 27017) — even if access is restricted, discovery enables targeted exploitation
- SSH (port 22) — brute force attempts start the moment SSH is discovered
- API endpoints — enumeration reveals API structure and potential vulnerabilities
- Kubernetes API servers — discovery of the API endpoint is a prerequisite for cluster compromise
For each of these, the question is: should this be visible to the entire internet?
If the answer is no, network hiding eliminates the visibility that port scanning exploits. No visibility means no discovery. No discovery means no targeted attacks.
Getting Started
- Try the QURL Playground to see what invisible infrastructure looks like
- Sign up free for 500 QURLs/month
- Hide your first resource with a DNS change — it becomes invisible in minutes
Port scanning has been the first step in attacks for 25 years. It's time to make it find nothing.