5 Dec
2017
5 Dec
'17
7:57 p.m.
On 05.12.17 20:21, r1610091651 wrote:
how can the hoster determine whether a packet is part of a port scan or valid connection request?
One common example of automatically detectable port scans for /24 IPv4 subnets are consecutive connections, in a small amount of time, to
aaa.bbb.ccc.1:80 aaa.bbb.ccc.2:80 aaa.bbb.ccc.3:80 [etc.]
Looking at the logs I received, this traversal of subnets to find open ports is the most common type of scan for which my exit is being abused.
The logs sometimes show variations like scanning odd-numbered addresses in one pass and even-numbered in the next, or scans for several subnets mixed together, but the hoster's monitoring software is quite good at automatically identifying patterns.
-Ralph