问题描述

我对 SYN Flood 和端口扫描攻击之间的区别感到困惑.知道 TCP SYN Flood 通常被称为半开"扫描，因为您没有打开完整的 TCP 连接.您发送一个 SYN 数据包，就好像您要打开一个真正的连接并等待响应一样.端口扫描因目标端口而异，但我认为它们有类似的操作，如果不是，请说明.

目的是为half-open"和open"消耗 tcp backlog.

泛洪误报示例

i am confused based on the difference between SYN Flood and Port scan attack.knowing that TCP SYN Flood is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response.Port Scan varies destination port but i think they have similar operations, if not please i need clarifications.

The purpose is to consume tcp backlog for both 'half-open' and 'open'. http://www.ryanfrantz.com/posts/apache-tcp-backlog/

And generally, if the relationship between the source(ip/port) and destination(ip/port) is '1:N', it called scan. If 'N:1', it called flooding.

Scan and flooding are detected as protocol structure conditions. By the way, all traffic has a protocol structure. So it is difficult to detect accurately.

Example of scan false positive

Example of flooding false positive

这篇关于Syn Flood 和端口扫描攻击有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！