METHOD AND DEVICE FOR DETERMINING TCP PORT SCANNING

摘要

Disclosed in the present invention are a method and device for determining TCP port scanning, and the present invention solves the problem of low efficiency and narrow application range while a port scanning is detected in the prior art. A forwarding device identifies an SYN message in filtered port scanning messages to be determined. According to the source address information and the destination address information of the identified SYN message, an SYN plus ACK message is constructed and sent to a device corresponding to the source address information of the message. When the device corresponding to the source address information sends an ACK message to the device corresponding to the destination address information, if the quantity of SYN messages scanning the existent and nonexistent destination addresses or destination ports of the device corresponding to the destination address information at the same time is larger than a set threshold value N1, it is determined that the device is scanning TCP ports. The present invention can detect TCP port scanning of semi-hidden mode and low speed TCP port scanning, thus the application range of the detection method is extended, the system resources are saved, and determination efficiency of port scanning is improved.