DShield analysis

analysing the DShield.log there were two topics I couldn't find information:

- TTL: the default is 64, but nearly all scanner use TTL around 250, and the "attackers" (trying login) use TTL around 250

- Source port: default for Linux is above 32,000, but there are a number of scans with source port below

It seems most of the scans are using nmap (windows-size=1024), but my checks did not confirm any unusual TTL or source ports.

Does the specific TTL and source port reveal anything about the scanners?


Sign Up for Free or Log In to start participating in the conversation!