问题描述
我对 SYN Flood 和端口扫描攻击之间的区别感到困惑.知道 TCP SYN Flood 通常被称为半开"扫描,因为您没有打开完整的 TCP 连接.您发送一个 SYN 数据包,就好像您要打开一个真正的连接并等待响应一样.端口扫描因目标端口而异,但我认为它们有类似的操作,如果不是,请说明.
目的是为half-open"和open"消耗 tcp backlog.
泛洪误报示例
i am confused based on the difference between SYN Flood and Port scan attack.knowing that TCP SYN Flood is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response.Port Scan varies destination port but i think they have similar operations, if not please i need clarifications.
The purpose is to consume tcp backlog for both 'half-open' and 'open'. http://www.ryanfrantz.com/posts/apache-tcp-backlog/
And generally, if the relationship between the source(ip/port) and destination(ip/port) is '1:N', it called scan. If 'N:1', it called flooding.
Scan and flooding are detected as protocol structure conditions. By the way, all traffic has a protocol structure. So it is difficult to detect accurately.
Example of scan false positive
Example of flooding false positive
这篇关于Syn Flood 和端口扫描攻击有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!