More Web Proxy on the site http://driver.im/

research-article

Open access

Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope

Authors:

Philipp Richter,

Arthur BergerAuthors Info & Claims

IMC '19: Proceedings of the Internet Measurement Conference

Pages 144 - 157

https://doi.org/10.1145/3355369.3355595

Published: 21 October 2019 Publication History

Abstract

Scanning of hosts on the Internet to identify vulnerable devices and services is a key component in many of today's cyberattacks. Tracking this scanning activity, in turn, provides an excellent signal to assess the current state-of-affairs for many vulnerabilities and their exploitation. So far, studies tracking scanning activity have relied on unsolicited traffic captured in darknets, focusing on random scans of the address space. In this work, we track scanning activity through the lens of unsolicited traffic captured at the firewalls of some 89,000 hosts of a major Content Distribution Network (CDN). Our vantage point has two distinguishing features compared to darknets: (i) it is distributed across some 1,300 networks, and (ii) its servers are live, offering services and thus emitting traffic. While all servers receive a baseline level of probing from Internet-wide scans, i.e., scans targeting random subsets of or the entire IPv4 space, we show that some 30% of all logged scan traffic is the result of localized scans. We find that localized scanning campaigns often target narrow regions in the address space, and that their characteristics in terms of target selection strategy and scanned services differ vastly from the more widely known Internet-wide scans. Our observations imply that conventional darknets can only partially illuminate scanning activity, and may severely underestimate widespread attempts to scan and exploit individual services in specific prefixes or networks. Our methods can be adapted for individual network operators to assess if they are subjected to targeted scanning activity.

References

[1]

Best Practices and Considerations in Egress Filtering. https://insights.sei.cmu.edu/sei_blog/2018/04/best-practices-and-considerations-in-egress-filtering.html.

[2]

CAIDA UCSD Real-time Network Telescope Data. Available via IMPACT, dataset ID DS-0206. http://www.caida.org/data/passive/telescope-near-real-time_dataset.xml.

[3]

Netlab 360: Quick summary about the Port 8291 scan. https://blog.netlab.360.com/quick-summary-port-8291-scan-en/.

[4]

SANS ISC InfoSec Forums: IPSEC / ISAKMP Vulnerability wrapup. https://isc.sans.edu/forums/diary/IPSEC+ISAKMP+Vulnerability+wrapup/852.

[5]

Why would a Windows machine scan for port 137? https://superuser.com/questions/1306406/why-would-a-windows-machine-scan-for-port-137.

[6]

D. Adrian, Z. Durumeric, G. Singh, and A. Halderman. Zippier Zmap: Wnternet-wide Scanning at 10 Gbps. In USENIX WOOT, 2014.

[7]

M. Allman, V. Paxson, and J. Terrell. A Brief History of Scanning. In ACM IMC, 2007.

Digital Library

[8]

M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou. Understanding the Mirai Botnet. In USENIX Security Symposium, 2017.

Digital Library

[9]

S. Bano, P. Richter, M. Javed, S. Sundaresan, Z. Durumeric, S. Murdoch, R. Mortier, and V. Paxson. Scanning the Internet for Liveness. ACM CCR, 48(2), 2018.

[10]

K. Benson, A. Dainotti, kc claffy, A. Snoeren, and M. Kallitsis. Leveraging Internet Background Radiation for Opportunistic Network Analysis. In ACM IMC, 2015.

Digital Library

[11]

N. Blenn, V. Ghiëtte, and C. Doerr. Quantifying the Spectrum of Denial-of-Service Attacks Through Internet Backscatter. In Proceedings of the 12th International Conference on Availability, Reliability and Security, ARES '17, 2017.

Digital Library

[12]

J. Czyz, M. Kallitsis, M. Gharaibeh, C. Papadopoulos, M. Bailey, and M. Karir. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In ACM IMC, 2014.

Digital Library

[13]

J. Czyz, K. Lady, S. Miller, M. Bailey, M. Kallitsis, and M. Karir. Understanding ipv6 internet background radiation. In ACM IMC, 2013.

Digital Library

[14]

A. Dainotti, K. Benson, A. King, k. claffy, M. Kallitsis, E. Glatz, and X. Dimitropoulos. Estimating Internet address space usage through passive measurements. ACM CCR, 44(1):42--49, 2014.

Digital Library

[15]

A. Dainotti, K. Benson, A. King, B. Huffaker, E. Glatz, X. Dimitropoulos, P. Richter, A. Finamore, and A. Snoeren. Lost in Space: Improving Inference of IPv4 Address Space Utilization. IEEE J. on Sel. Areas in Comm., 34(6):1862--1876, Jun 2016.

[16]

A. Dainotti, A. King, K. Claffy, F. Papale, and A. Pescapé. Analysis of a "/0" stealth scan from a botnet. IEEE/ACM Trans. Netw., 23(2):341--354, Apr 2015.

Digital Library

[17]

Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and A. Halderman. A Search Engine Backed by Internet-Wide Scanning. In ACM CCS, 2015.

Digital Library

[18]

Z. Durumeric, M. Bailey, and A. Halderman. An Internet-Wide View of Internet-Wide Scanning. In USENIX Security Symposium, 2014.

[19]

Z. Durumeric, J. Kasten, M. Bailey, and A. Halderman. Analysis of the HTTPS Certificate Ecosystem. In ACM IMC, 2013.

Digital Library

[20]

Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and A. Halderman. The Matter of Heartbleed. In ACM IMC, 2014.

Digital Library

[21]

Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-Wide Scanning and its Security Applications. In USENIX Security Symposium, 2013.

Digital Library

[22]

E. Glatz and X. Dimitropoulos. Classifying Internet One-way Traffic. In ACM IMC, 2012.

[23]

S. Herwig, K. Harvey, G. Hughey, R. Roberts, and D. Levin. Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet. In NDSS, 2019.

[24]

M. Kührer, T. Hupperich, C. Rossow, and T. Holz. Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. In USENIX Security Symposium, 2014.

Digital Library

[25]

M. Lin, H. Lucas, and G. Shmueli. Too big to fail: Large samples and the p-value problem. Information Systems Research, 24, December 2013.

[26]

NIST. CVE-2016-10372 Detail. https://nvd.nist.gov/vuln/detail/CVE-2016-10372.

[27]

NIST. CVE-2018-14847 Detail. https://nvd.nist.gov/vuln/detail/CVE-2018-14847.

[28]

R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation. In ACM IMC, 2004.

Digital Library

[29]

E. Pujol, P. Richter, B. Chandrasekaran, G. Smaragdakis, A. Feldmann, B. Maggs, and K. C. Ng. Back-Office Web Traffic on The Internet. In ACM IMC, 2014.

Digital Library

[30]

P. Richter, G. Smaragdakis, D. Plonka, and A. Berger. Beyond Counting: New Perspectives on the Active IPv4 Address Space. In ACM IMC, 2016.

Digital Library

[31]

A. Wang, W. Chang, S. Chen, and A. Mohaisen. Delving into internet DDoS attacks by botnets: characterization and analysis. IEEE/ACM Trans. Networking, 26(6), 2018.

Digital Library

[32]

E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston. Internet Background Radiation Revisited. In ACM IMC, 2010.

Digital Library

[33]

V. Yegneswaran, P. Barford, and D. Plonka. On the Design and Use of Internet Sinks for Network Abuse Monitoring. In Recent Advances in Intrusion Detection, 2004.

Cited By

Zhang YZhang ZZhang WMao DRao Z(2024)Stop-Probability-Based Network Topology Discovery MethodIEICE Transactions on Communications10.23919/transcom.2024EBP3001E107-B:9(583-594)Online publication date: Sep-2024
https://doi.org/10.23919/transcom.2024EBP3001
Mayer JSchramm MBechtel LLohmiller NKaniewski SMenth MHeer T(2024)I Know Who You Scanned Last Summer: Mapping the Landscape of Internet-Wide Scanners2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619808(222-230)Online publication date: 3-Jun-2024
https://doi.org/10.23919/IFIPNetworking62109.2024.10619808
Griffioen HKoursiounis GSmaragdakis GDoerr CVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Have you SYN me? Characterizing Ten Years of Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688409(149-164)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688409
Show More Cited By

Index Terms

Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope
1. Networks
  1. Network performance evaluation
    1. Network measurement
  2. Network properties
    1. Network security

Recommendations

Illuminating large-scale IPv6 scanning in the internet
IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

While scans of the IPv4 space are ubiquitous, today little is known about scanning activity in the IPv6 Internet. In this work, we present a longitudinal and detailed empirical study on large-scale IPv6 scanning behavior in the Internet, based on ...
Have you SYN me? Characterizing Ten Years of Internet Scanning
IMC '24: Proceedings of the 2024 ACM on Internet Measurement Conference

Port scanning is the de-facto method to enumerate active hosts and potentially exploitable services on the Internet. Over the last years, several studies have quantified the ecosystem of port scanning. Each work has found drastic changes in the threat ...
BluePrint: Automatic Malware Signature Generation for Internet Scanning
RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses

Traditional malware-detection research has focused on techniques for detection on end hosts or passively on networks. In contrast, global malware detection on the Internet using active Internet scanning remains relatively unstudied, with research still ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '19: Proceedings of the Internet Measurement Conference

October 2019

497 pages

ISBN:9781450369480

DOI:10.1145/3355369

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

William and Flora Hewlett Foundation

Conference

IMC '19

Sponsor:

IMC '19: ACM Internet Measurement Conference

October 21 - 23, 2019

Amsterdam, Netherlands

Acceptance Rates

IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

44
Total Citations
View Citations
1,820
Total Downloads

Downloads (Last 12 months)495
Downloads (Last 6 weeks)60

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang YZhang ZZhang WMao DRao Z(2024)Stop-Probability-Based Network Topology Discovery MethodIEICE Transactions on Communications10.23919/transcom.2024EBP3001E107-B:9(583-594)Online publication date: Sep-2024
https://doi.org/10.23919/transcom.2024EBP3001
Mayer JSchramm MBechtel LLohmiller NKaniewski SMenth MHeer T(2024)I Know Who You Scanned Last Summer: Mapping the Landscape of Internet-Wide Scanners2024 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking62109.2024.10619808(222-230)Online publication date: 3-Jun-2024
https://doi.org/10.23919/IFIPNetworking62109.2024.10619808
Griffioen HKoursiounis GSmaragdakis GDoerr CVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Have you SYN me? Characterizing Ten Years of Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688409(149-164)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688409
Fu CLi QXu K(2024)Flow Interaction Graph Analysis: Unknown Encrypted Malicious Traffic DetectionIEEE/ACM Transactions on Networking10.1109/TNET.2024.337085132:4(2972-2987)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3370851
Lyu MHabibi Gharakheili HSivaraman V(2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3419068
García-Peñas RRodríguez-Gómez RMaciá-Fernández G(2024)HoDiNTComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110570250:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.comnet.2024.110570
Atri HSharma AMehrotra TSaxena S(2024)Optimization of Network Mapping for Screening and Intrusion Sensing DevicesCryptology and Network Security with Machine Learning10.1007/978-981-97-0641-9_1(1-19)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-981-97-0641-9_1
Zhao LKobayashi SFukuda K(2024)Exploring the Discovery Process of Fresh IPv6 Prefixes: An Analysis of Scanning Behavior in Darknet and HoneynetPassive and Active Measurement10.1007/978-3-031-56249-5_4(95-111)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56249-5_4
Tanveer HSingh RPearce PNithyanand RCalandrino JTroncoso C(2023)Glowing in the darkProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620585(6221-6237)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620585
Pauley EBarford PMcDaniel PCalandrino JTroncoso C(2023)DSCOPEProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620572(5989-6006)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620572
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents