|
|
|
|
|
|
by achillean
1744 days ago
|
|
|
That's not what the article said though. They say that the compromised devices had these characteristics among others: * Port 2000 open * Port 5678 open * SOCKS proxy on port 80 (maybe) Most likely most of the visitors to your website won't have those ports open and exposed to the Internet. That is a really easy way to filter traffic based on the network fingerprint. Especially when you're under attack it's a great way to reduce a majority of the impact without requiring any AI/ ML - just filter traffic from IPs that have TCP port 5678 open. That same technique was also used to identify Mirai bots and it worked well. |
|
|