Any computing system that is connected to a network faces threats from other computing systems connected to that network. When the network in question is the Internet, the number of potential threats is quite large. Many malicious computing systems begin attacks by conducting a port scan of potential victim devices. Port scans often involve sending packets to each port on a host, in turn, and monitoring the responses (or lack thereof). The results of a port scan may allow attackers to identify what operating systems and/or services are running on a host device based on which ports are open. Attackers may then use this information to launch targeted attacks against services on the host with known vulnerabilities.
Many traditional systems for blocking port scans rely on detecting a pattern of activity that is indicative of a port scan, such as repeated packets sent to different ports from the same remote device. However, some attackers have compensated for this by drastically slowing the speed of their port scans so that the packets appear to be unrelated. Unfortunately, attempts to prevent such port scans run the risk of breaking network functionality for benign systems that are making genuine initialization attempts. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for thwarting port scans and other illegitimate initialization attempts without compromising the functionality of benign systems.