analysing the DShield.log there were two topics I couldn't find information:
- TTL: the default is 64, but nearly all scanner use TTL around 250, and the "attackers" (trying login) use TTL around 250
- Source port: default for Linux is above 32,000, but there are a number of scans with source port below
It seems most of the scans are using nmap (windows-size=1024), but my checks did not confirm any unusual TTL or source ports.
Does the specific TTL and source port reveal anything about the scanners?
Mar 1st 2020
6 months ago