On 05.12.17 20:21, r1610091651 wrote: > how can the hoster determine whether a packet is part of a port scan > or valid connection request?
One common example of automatically detectable port scans for /24 IPv4 subnets are consecutive connections, in a small amount of time, to aaa.bbb.ccc.1:80 aaa.bbb.ccc.2:80 aaa.bbb.ccc.3:80 [etc.] Looking at the logs I received, this traversal of subnets to find open ports is the most common type of scan for which my exit is being abused. The logs sometimes show variations like scanning odd-numbered addresses in one pass and even-numbered in the next, or scans for several subnets mixed together, but the hoster's monitoring software is quite good at automatically identifying patterns. -Ralph _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
