Abstract
Internet scanning is a de facto background traffic noise that is not clear if it poses a dangerous threat, i.e., what happens to scanned hosts? what is the success rate of scanning? and whether the problem is worth investing significant effort and money on mitigating it, e.g., by filtering unwanted traffic? In this work we take a first look into Internet scanning from the point of view of scan repliers using a unique combination of data sets which allows us to estimate how many hosts replied to scanners and whether they were subsequently attacked in an actual network. To contain our analysis, we focus on a specific interesting scanning event that was orchestrated by the Sality botnet during February 2011 which scanned the entire IPv4 address space. By analyzing unsampled NetFlow records, we show that 2 % of the scanned hosts actually replied to the scanners. Moreover, by correlating scan replies with IDS alerts from the same network, we show that significant exploitation activity followed towards the repliers, which eventually led to an estimated 8 % of compromised repliers. These observations suggest that Internet scanning is dangerous: in our university network, at least 142 scanned hosts were eventually compromised. World-wide, the number of hosts that were compromised in response to the studied event is likely much larger.
Chapter PDF
Similar content being viewed by others
References
Anonymous postmasters early warning system. http://www.apews.org
Dshield: Internet storm center (2014). http://www.dshield.org/
Shadowserver foundation (2014). https://www.shadowserver.org/
Threatexpert - automated threat analysis (2014). http://www.threatexpert.com/
Bacher, P., Holz, T., Kotter, M., Wicherski, G.: Know your enemy: Tracking botnets (2008). http://www.honeynet.org/papers/bots
Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: CATCH 2009, Washington, District of Columbia, USA (2009)
Barford, P., Yegneswaran, V.: An inside look at botnets. In: Malware Detection, Advances in Information Security, vol. 27 (2007)
Cooke, E., Jahanian, F., Mcpherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets, pp. 39–44 (2005)
Dainotti, A., King, A., Claffy, K., Papale, F., Pescap, A.: Analysis of a “/0” stealth scan from a botnet. In: ACM IMC 2012 (2012)
Durumeric,Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its securityapplications. In: USENIX 2013 (2013)
Dimitropoulos, X., Raftopoulos, E., Glatz, E., Dainotti, A.: The days after a “/0" scan from the sality botnet (2014), Technical Report 358. http://www.csg.ethz.ch/people/rilias/publications/Sality_RaDi14.pdf
Falliere, N.: A distributed cracker for voip (2011)
Falliere, N.: Sality: Story of a peer-to-peer viral network (2011)
Freiling, F.C., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks (2005)
Glatz, E., Dimitropoulos, X.: Classifying internet one-way traffic. In: Proc. of the 2012 ACM Conf. on Internet Measurement. ACM, NY (2012)
Gu, G., Junjie, Z., Lee, W.: BotSniffer: detecting botnet command and control channels in network traffic. In: NSDI (2008)
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a casestudy on storm worm. In: LEET 2008 (2008)
Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: The 8th ACM Conference on Knowledge Discovery and Data Mining
Kruegel, C., Robertson, W.: Alert verification - determining the success of intrusion attempts. In: DIMVA (2004)
Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. Transactions on Information Forensics and Security
MaxMind Lite. http://dev.maxmind.com/geoip/legacy/geolite/
Raftopoulos, E., Dimitropoulos, X.: Detecting, validating and characterizing computer infections in the wild. In: Proceedings of IMC (2011)
Raftopoulos, E., Dimitropoulos, X.: A quality metric for ids signatures: In the wild the size matters. EURASIP Journal on Information Security
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proc. of the ACM IMC 2006 Conference (2006)
Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: Sip: Session initiation protocol (2002)
Shin, S., Lin, R., Gu, G.: Cross-analysis of botnet victims: new insights and implications. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 242–261. Springer, Heidelberg (2011)
Stone-gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: Analysis of a botnet takeover
Yegneswaran, V., Barford, P., Paxson, V.: Using honeynets for internet situational awareness. In: HotNets IV (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Raftopoulos, E., Glatz, E., Dimitropoulos, X., Dainotti, A. (2015). How Dangerous Is Internet Scanning?. In: Steiner, M., Barlet-Ros, P., Bonaventure, O. (eds) Traffic Monitoring and Analysis. TMA 2015. Lecture Notes in Computer Science(), vol 9053. Springer, Cham. https://doi.org/10.1007/978-3-319-17172-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-17172-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17171-5
Online ISBN: 978-3-319-17172-2
eBook Packages: Computer ScienceComputer Science (R0)