i am confused based on the difference between SYN Flood and Port scan attack. knowing that TCP SYN Flood is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response. Port Scan varies destination port but i think they have similar operations, if not please i need clarifications.
Asked
Active
Viewed 2,582 times
1 Answers
0
The purpose is to consume tcp backlog for both 'half-open' and 'open'. http://www.ryanfrantz.com/posts/apache-tcp-backlog/
And generally, if the relationship between the source(ip/port) and destination(ip/port) is '1:N', it called scan. If 'N:1', it called flooding.
Scan and flooding are detected as protocol structure conditions. By the way, all traffic has a protocol structure. So it is difficult to detect accurately.
Example of scan false positive
Example of flooding false positive
Mr.kang
- 587
- 6
- 17
-
Thanks Mr. Kang, what could be the min and max value of 'N' for it to be considered as scan or flood attack? – Agu Justice Apr 25 '17 at 14:34
-
There is no min and max value appropriate. Appropriate responses are needed depending on the situation. When scan or flooding, you should first check if the access is consistent with the purpose of the server. Also, it should be compared with the amount of approach when it is in normal condition. – Mr.kang Apr 25 '17 at 15:43
-
Thanks sir, I appreciate your responds – Agu Justice Apr 25 '17 at 20:42