On 8/1/12 9:24 AM, Administrator wrote:
an easy way is to limit the amount of tcp connections at the same time on a edge router. this is usualy done to get rid of script kiddies which try to break into ssh by trying every possible password for root. if tcp init is however rate limited then its like a slow connection for opening sessions. this could affect outgoing http though so its smarter to exclude port 80 and 443 from it.
That way you will not catch scanning that goes across an entire netblock on port 80 to look for a possible specific vulnerable web applications (portscanning + application vulnerability check).
You need to look at very specific portscanning pattern, finely tuned so that it would not risk to match also good tor traffic.
-naif