research-article

Open access

Have you SYN me? Characterizing Ten Years of Internet Scanning

Authors:

Harm Griffioen,

Georgios Koursiounis,

Georgios Smaragdakis,

Christian DoerrAuthors Info & Claims

IMC '24: Proceedings of the 2024 ACM on Internet Measurement Conference

Pages 149 - 164

https://doi.org/10.1145/3646547.3688409

Published: 04 November 2024 Publication History

Abstract

Port scanning is the de-facto method to enumerate active hosts and potentially exploitable services on the Internet. Over the last years, several studies have quantified the ecosystem of port scanning. Each work has found drastic changes in the threat landscape compared to the previous one, and since the advent of high-performance scanning tools and botnets a lot has changed in this highly volatile ecosystem.

Based on a unique dataset of Internet-wide scanning traffic collected in a large network telescope, we provide an assessment of Internet-wide TCP scanning with measurement periods in the last 10 years (2015 to 2024). We collect over 750 million scanning campaigns sending more than 45 billion packets and report on the evolution and developments of actors, their tooling, and targets. We find that Internet scanning has increased 30-fold over the last ten years, but the number and speed of scans have not developed at the same pace. We report that the ecosystem is extremely volatile, where targeted ports and geographical scanner locations drastically change at the level of weeks or months. We thus find that for an accurate understanding of the ecosystem we need longitudinal assessments. We show that port scanning becomes heavily commoditized, and many scanners target multiple ports. By 2024, well-known scanning institutions are targeting the entire IPv4 space and the entire port range.

References

[1]

David Adrian, Zakir Durumeric, Gulshan Singh, and J Alex Halderman. 2014. Zippier Zmap: Internet-wide Scanning at 10 Gbps. In 8th USENIX Workshop on Offensive Technologies (WOOT 14).

[2]

Mark Allman, Vern Paxson, and Jeff Terrell. 2007. A brief history of scanning. In Proceedings of the 7th ACM SIGCOMM conference on Internet measurement. 77--82.

Digital Library

[3]

Aniket Anand, Michalis Kallitsis, Jackson Sippe, and Alberto Dainotti. 2023. Aggressive Internet-wide Scanners: Network Impact and Longitudinal characterization. In Companion of the 19th International Conference on emerging Networking EXperiments and Technologies. 1--8.

Digital Library

[4]

Evgeny V Ananin, Arina V Nikishova, and Irina S Kozhevnikova. 2017. Port scanning detection based on anomalies. In 2017 Dynamics of Systems, Mechanisms and Machines (Dynamics). IEEE, 1--5.

[5]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. 2017. Understanding the mirai botnet. In 26th USENIX security symposium (USENIX Security 17). 1093--1110.

[6]

Soniya Balram and M Wiscy. [n.,d.]. Detection of TCP SYN scanning using packet counts and neural network. In 2008 IEEE International Conference on Signal Image Technology and Internet Based Systems. IEEE, 646--649.

[7]

Shehar Bano, Philipp Richter, Mobin Javed, Srikanth Sundaresan, Zakir Durumeric, Steven J Murdoch, Richard Mortier, and Vern Paxson. 2018. Scanning the internet for liveness. ACM SIGCOMM Computer Communication Review, Vol. 48, 2 (2018), 2--9.

Digital Library

[8]

Norbert Blenn, Vincent Ghiëtte, and Christian Doerr. 2017. Quantifying the spectrum of denial-of-service attacks through internet backscatter. In Proceedings of the 12th International Conference on Availability, Reliability and Security. 1--10.

Digital Library

[9]

Leon Böck, Dave Levin, Ramakrishna Padmanabhan, Christian Doerr, and Max Mühlhäuser. [n.,d.]. How to Count Bots in Longitudinal Datasets of IP Addresses.

[10]

Joppe W Bos, J Alex Halderman, Nadia Heninger, Jonathan Moore, Michael Naehrig, and Eric Wustrow. 2014. Elliptic curve cryptography in practice. In International Conference on Financial Cryptography and Data Security. Springer, 157--175.

[11]

Elias Bou-Harb, Mourad Debbabi, and Chadi Assi. 2013. Cyber scanning: a comprehensive survey. Ieee communications surveys & tutorials, Vol. 16, 3 (2013), 1496--1519.

[12]

M. Patrick Collins, Alefiya Hussain, and Stephen Schwab. 2023. Identifying and Differentiating Acknowledged Scanners in Network Traffic. In 2023 IEEE European Symposium on Security and Privacy Workshops. 567--574. https://doi.org/10.1109/EuroSPW59978.2023.00069

[13]

Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A Large-Scale Analysis of the Security of Embedded Firmwares. In 23rd USENIX Security Symposium (USENIX Security 14). 95--110.

Digital Library

[14]

Mehiar Dabbagh, Ali J Ghandour, Kassem Fawaz, Wassim El Hajj, and Hazem Hajj. 2011. Slow port scanning detection. In 2011 7th International Conference on Information Assurance and Security (IAS). IEEE, 228--233.

[15]

Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, and Antonio Pescapé. 2014. Analysis of a “/0” stealth scan from a botnet. IEEE/ACM Transactions on Networking, Vol. 23, 2 (2014), 341--354.

Digital Library

[16]

Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J Alex Halderman. 2015. A search engine backed by Internet-wide scanning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 542--553.

Digital Library

[17]

Zakir Durumeric, David Adrian, Phillip Stephens, Eric Wustrow, and J. Alex Halderman. 2024. Ten Years of ZMap. In Proceedings of the ACM Internet Measurement Conference.

[18]

Zakir Durumeric, Michael Bailey, and J Alex Halderman. 2014. An Internet-wide view of Internet-wide Scanning. In 23rd USENIX Security Symposium (USENIX Security 14). 65--78.

[19]

Zakir Durumeric, James Kasten, Michael Bailey, and J Alex Halderman. 2013. Analysis of the HTTPS certificate ecosystem. In Proceedings of the 2013 conference on Internet measurement conference. 291--304.

Digital Library

[20]

Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, et al. 2014. The Matter of Heartbleed. In Proceedings of the Internet Measurement Conference. 475--488.

Digital Library

[21]

Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide scanning and its security applications. In 22nd USENIX Security Symposium (USENIX Security 13). 605--620.

[22]

Wassim El-Hajj, Fadi Aloul, Zouheir Trabelsi, and Nazar Zaki. [n.,d.]. On detecting port scanning using fuzzy based intrusion detection system. In 2008 International Wireless Communications and Mobile Computing Conference. IEEE, 105--110.

[23]

Wassim El-Hajj, Hazem Hajj, Zouheir Trabelsi, and Fadi Aloul. 2011. Updating snort with a customized controller to thwart port scanning. Security and Communication Networks, Vol. 4, 8 (2011), 807--814.

[24]

Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel, and Parisa Tabriz. 2017. Measuring HTTPS adoption on the web. In 26th USENIX Security Symposium (USENIX Security 17). 1323--1338.

[25]

Vincent Ghiëtte, Norbert Blenn, and Christian Doerr. 2016. Remote identification of port scan toolchains. In 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE, 1--5.

[26]

Robert David Graham. 2014. MASSCAN: Mass IP port scanner. URL: https://github. com/robertdavidgraham/masscan (2014).

[27]

Harm Griffioen and Christian Doerr. 2020. Discovering Collaboration: Unveiling Slow, Distributed Scanners based on Common Header Field Patterns. In NOMS IEEE/IFIP Network Operations and Management Symposium. IEEE, 1--9.

Digital Library

[28]

Harm Griffioen and Christian Doerr. 2020. Examining Mirai's Battle over the Internet of Things. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 743--756.

Digital Library

[29]

Harm Griffioen and Christian Doerr. 2020. Quantifying Autonomous System IP Churn using Attack Traffic of Botnets. In International Conference on Availability, Reliability and Security (ARES).

Digital Library

[30]

Marcella Hastings, Joshua Fried, and Nadia Heninger. [n.,d.]. Weak Keys Remain Widespread in Network Devices. In Proceedings of the Internet Measurement Conference. 49--63.

[31]

Ralph Holz, Johanna Amann, Olivier Mehani, Matthias Wachs, and Mohamed Ali Kaafar. 2015. TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication. arXiv preprint arXiv:1511.00341 (2015).

[32]

Liz Izhikevich, Renata Teixeira, and Zakir Durumeric. 2021. LZR: Identifying Unexpected Internet Services. In 30th USENIX Security Symposium (USENIX Security 21).

[33]

Liz Izhikevich, Renata Teixeira, and Zakir Durumeric. 2022. Predicting IPv4 Services Across All ports. In Proceedings of the ACM SIGCOMM 2022 Conference. 503--515.

Digital Library

[34]

Postel John. 1981. Transmission Control Protocol. RFC 793 (1981).

[35]

Cynthia Bailey Lee, Chris Roedel, and Elena Silenok. 2003. Detection and characterization of port scan attacks. Univeristy of California, Department of Computer Science and Engineering (2003).

[36]

Derek Leonard and Dmitri Loguinov. 2010. Demystifying service discovery: implementing an internet-wide scanner. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. 109--122.

Digital Library

[37]

Rutger Leukfeldt, Sander Veenstra, and Wouter Stol. 2013. High volume cyber crime and the organization of the police: The results of two empirical studies in the Netherlands. International Journal of Cyber Criminology, Vol. 7, 1 (2013), 1.

[38]

Johan Mazel, Romain Fontugne, and Kensuke Fukuda. 2017. Profiling internet scanners: Spatiotemporal structures and measurement ethics. In 2017 Network Traffic Measurement and Analysis Conference (TMA). IEEE, 1--9.

[39]

Johan Mazel and Rémi Strullu. 2019. Identifying and characterizing ZMap scans: a cryptanalytic approach. arXiv preprint arXiv:1908.04193 (2019).

[40]

David Moore, Colleen Shannon, Geoffrey M Voelker, Stefan Savage, et al. 2004. Network telescopes. Technical Report. Technical Report CS2004-0795, CSE Department, UCSD.

[41]

Marcin Nawrocki, Thomas C Schmidt, and Matthias Wählisch. 2020. Uncovering Vulnerable Industrial Control Systems from the Internet Core. In NOMS IEEE/IFIP Network Operations and Management Symposium. IEEE, 1--9.

Digital Library

[42]

Jamie O'Hare, Rich Macfarlane, and Owen Lo. 2019. Identifying vulnerabilities using Internet-wide scanning data. In IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3). IEEE, 1--10.

[43]

P Paganini. 2018. Hackers steal 20 million from Ethereum clients exposing interface on port 8545. https://securityaffairs.co/wordpress/73436/digital-id/ethereum-scanning-port-8545.html.

[44]

Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, and Larry Peterson. 2004. Characteristics of internet background radiation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement. 27--40.

Digital Library

[45]

Philipp Richter and Arthur Berger. 2019. Scanning the scanners: Sensing the Internet from a massively distributed network telescope. In Proceedings of the Internet Measurement Conference. 144--157.

Digital Library

[46]

Seungwon Shin, Guofei Gu, Narasimha Reddy, and Christopher P Lee. 2011. A large-scale empirical study of conficker. IEEE Transactions on Information Forensics and Security, Vol. 7, 2 (2011), 676--690.

Digital Library

[47]

Himanshu Singh. 2009. Distributed Port Scanning Detection. (2009).

[48]

Simon Nam Thanh Vu, Mads Stege, Peter Issam El-Habr, Jesper Bang, and Nicola Dragoni. 2021. A survey on botnets: Incentives, evolution, detection and current trends. Future Internet, Vol. 13, 8 (2021), 198.

[49]

Sadegh Torabi, Elias Bou-Harb, Chadi Assi, ElMouatez Billah Karbab, Amine Boukhtouta, and Mourad Debbabi. 2020. Inferring and investigating IoT-generated scanning campaigns targeting a large network telescope. IEEE Transactions on Dependable and Secure Computing (2020).

[50]

Hung Nguyen Viet, Quan Nguyen Van, Linh Le Thi Trang, and Shone Nathan. 2018. Using deep learning model for network scanning detection. In Proceedings of the 4th International Conference on Frontiers of Educational Technologies. 117--121.

Digital Library

[51]

Benjamin Vignau, Raphaël Khoury, Sylvain Hallé, and Abdelwahab Hamou-Lhadj. 2021. The evolution of IoT Malwares, from 2008 to 2019: Survey, taxonomy, process simulator and perspectives. Journal of Systems Architecture, Vol. 116 (2021), 102143.

Digital Library

[52]

Gerry Wan, Liz Izhikevich, David Adrian, Katsunari Yoshioka, Ralph Holz, Christian Rossow, and Zakir Durumeric. 2020. On the Origin of Scanning: The Impact of Location on Internet-wide Scans. In Proceedings of the ACM Internet Measurement Conference. 662--679.

Digital Library

[53]

Eric Wustrow, Manish Karir, Michael Bailey, Farnam Jahanian, and Geoff Huston. 2010. Internet background radiation revisited. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. 62--74.

Digital Library

[54]

Vinod Yegneswaran, Paul Barford, and Johannes Ullrich. 2003. Internet intrusions: Global characteristics and prevalence. ACM SIGMETRICS Performance Evaluation Review, Vol. 31, 1 (2003), 138--147.

Digital Library

Cited By

Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012

Index Terms

Have you SYN me? Characterizing Ten Years of Internet Scanning
1. Security and privacy
  1. Network security

Recommendations

Ten Years of ZMap
IMC '24: Proceedings of the 2024 ACM on Internet Measurement Conference

Since ZMap's debut in 2013, networking and security researchers have used the open-source scanner to write hundreds of research papers that study Internet behavior. In addition, ZMap has been adopted by the security industry to build new classes of ...
Illuminating large-scale IPv6 scanning in the internet
IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

While scans of the IPv4 space are ubiquitous, today little is known about scanning activity in the IPv6 Internet. In this work, we present a longitudinal and detailed empirical study on large-scale IPv6 scanning behavior in the Internet, based on ...
Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope
IMC '19: Proceedings of the Internet Measurement Conference

Scanning of hosts on the Internet to identify vulnerable devices and services is a key component in many of today's cyberattacks. Tracking this scanning activity, in turn, provides an excellent signal to assess the current state-of-affairs for many ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '24: Proceedings of the 2024 ACM on Internet Measurement Conference

November 2024

812 pages

ISBN:9798400705922

DOI:10.1145/3646547

General Chairs:
Narseo Vallina-Rodríguez
IMDEA Networks Institute, Spain
,
Guillermo Suarez-Tángil
IMDEA Networks Institute, Spain
,
Program Chairs:
Dave Levin
University of Maryland, United States
,
Cristel Pelsser
UCLouvain, Belgium

Copyright © 2024 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2024

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

European Commission: Horizon Europe Programme

Conference

IMC '24

Sponsor:

IMC '24: ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid, Spain

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
96
Total Downloads

Downloads (Last 12 months)96
Downloads (Last 6 weeks)96

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents