问题
i am confused based on the difference between SYN Flood and Port scan attack. knowing that TCP SYN Flood is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response. Port Scan varies destination port but i think they have similar operations, if not please i need clarifications.
回答1:
The purpose is to consume tcp backlog for both 'half-open' and 'open'. http://www.ryanfrantz.com/posts/apache-tcp-backlog/
And generally, if the relationship between the source(ip/port) and destination(ip/port) is '1:N', it called scan. If 'N:1', it called flooding.
Scan and flooding are detected as protocol structure conditions. By the way, all traffic has a protocol structure. So it is difficult to detect accurately.
Example of scan false positive
Example of flooding false positive
来源:https://stackoverflow.com/questions/43579701/what-is-difference-between-syn-flood-and-port-scan-attack