I recently built a port scanner as part of learning more about network security. The project ended up being more interesting than I expected, mainly because of the security considerations around building a tool like this.
The Goal
Port scanners check which ports are open on a target system. They're useful for security audits, troubleshooting network issues, or verifying firewall configurations. I wanted to build one that was fast but also secure enough that it couldn't be abused.
Technical Implementation
The scanner uses Python with FastAPI for the backend and asyncio for handling multiple connections simultaneously. Sequential port scanning is slow—checking ports one at a time means waiting for each timeout. With asyncio, I can check 100 ports concurrently, which speeds things up significantly.
The tricky part was managing those concurrent connections. I used a semaphore to limit how many connections can run at once. This prevents overwhelming the target system and also keeps resource usage reasonable on the scanning side.
Security Considerations
The biggest concern with any network scanning tool is SSRF (Server-Side Request Forgery). Without proper validation, someone could use the scanner to probe internal networks or localhost.
To prevent this, I validate both the hostname and the resolved IP address. Just blocking private IP ranges like 192.168.x.x isn't enough—attackers can register domains that resolve to internal addresses. The scanner checks the resolved IP before making any connection attempts.
I also added rate limiting to prevent abuse and ensure the tool can't be used to flood targets with requests.
Challenges
Getting the concurrency right took some trial and error. Too few concurrent connections and scans are slow. Too many and you risk hitting system limits or overwhelming targets. I settled on 100 concurrent connections as a reasonable default.
Network operations are inherently unreliable. Connections time out, get refused, or fail for various reasons. Handling these errors gracefully without crashing the entire scan required careful error handling throughout the code.
Use Cases
This scanner works well for:
- Security teams conducting authorized penetration tests
- System administrators verifying firewall rules
- Developers checking service accessibility during deployment
What I Learned
This project reinforced that security features need to be built in from the start, not added as an afterthought. It also gave me hands-on experience with Python's asyncio, which behaves differently than I initially expected.
The code is available on GitHub if you're interested. It's MIT licensed, so feel free to use or modify it for your own projects.
Try out the Network Inspection Platform to see how concurrent scanning works in practice. The scanner demonstrates how to balance performance with security in a production-grade tool.