本文介绍了Syn Flood 和端口扫描攻击有什么区别?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我对 SYN Flood 和端口扫描攻击之间的区别感到困惑.知道 TCP SYN Flood 通常被称为半开"扫描,因为您没有打开完整的 TCP 连接.您发送一个 SYN 数据包,就好像您要打开一个真正的连接并等待响应一样.端口扫描因目标端口而异,但我认为它们有类似的操作,如果不是,请说明.

解决方案

目的是为half-open"和open"消耗 tcp backlog.

泛洪误报示例

i am confused based on the difference between SYN Flood and Port scan attack.knowing that TCP SYN Flood is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response.Port Scan varies destination port but i think they have similar operations, if not please i need clarifications.

解决方案

The purpose is to consume tcp backlog for both 'half-open' and 'open'. http://www.ryanfrantz.com/posts/apache-tcp-backlog/

And generally, if the relationship between the source(ip/port) and destination(ip/port) is '1:N', it called scan. If 'N:1', it called flooding.

Scan and flooding are detected as protocol structure conditions. By the way, all traffic has a protocol structure. So it is difficult to detect accurately.

Example of scan false positive

Example of flooding false positive

这篇关于Syn Flood 和端口扫描攻击有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

06-09 05:22