short-paper

Open access

Aggressive Internet-Wide Scanners: Network Impact and Longitudinal Characterization

Authors:

Michalis Kallitsis,

Alberto DainottiAuthors Info & Claims

CoNEXT 2023: Companion of the 19th International Conference on emerging Networking EXperiments and Technologies

Pages 1 - 8

https://doi.org/10.1145/3624354.3630583

Published: 05 December 2023 Publication History

Abstract

Aggressive network scanners, i.e., ones with immoderate and persistent behaviors, ubiquitously search the Internet to identify insecure and publicly accessible hosts. These scanners generally lie within two main categories; i) benign research-oriented probers; ii) nefarious actors that forage for vulnerable victims and host exploitation. However, the origins, characteristics and the impact on real networks of these aggressive scanners are not well understood. In this paper, via the vantage point of a large network telescope, we provide an extensive longitudinal empirical analysis of aggressive IPv4 scanners that spans a period of almost two years. Moreover, we examine their network impact using flow and packet data from two academic ISPs. To our surprise, we discover that a non-negligible fraction of packets processed by ISP routers can be attributed to aggressive scanners. Our work aims to raise the network community's awareness for these ''heavy hitters'', especially the miscreant ones, whose invasive and rigorous behavior i) makes them more likely to succeed in abusing the hosts they target and ii) imposes a network footprint that can be disruptive to critical network services by incurring consequences akin to denial of service attacks.

References

[1]

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann. 2015. Imperfect forward secrecy: how diffie-hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). Association for Computing Machinery, Denver, Colorado, USA, 5--17. isbn: 9781450338325. doi: 10.1145/2810103.2813707.

Digital Library

[2]

2022. Anonymous. https://bit.ly/3GU2a0q. (2022).

[3]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1093--1110. isbn: 978-1-931971-40-9. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis.

[4]

Tao Ban, Lei Zhu, Jumpei Shimamura, Shaoning Pang, Daisuke Inoue, and Koji Nakao. 2017. Detection of botnet activities through the lens of a large-scale darknet. In Neural Information Processing. Derong Liu, Shengli Xie, Yuanqing Li, Dongbin Zhao, and El-Sayed M. El-Alfy, (Eds.) Springer International Publishing, Cham, 442--451. isbn: 978-3-319-70139-4.

[5]

Karyn Benson, Alberto Dainotti, Kc Claffy, Alex C Snoeren, and Michael Kallitsis. 2015. Leveraging internet background radiation for opportunistic network analysis. In Proceedings of the 2015 Internet Measurement Conference, 423--436.

Digital Library

[6]

Jack Cable, Drew Gregory, Liz Izhikevich, and Zakir Durumeric. 2021. Stratosphere: finding vulnerable cloud storage buckets. In (RAID '21). Association for Computing Machinery, San Sebastian, Spain, 399--411. isbn: 9781450390583. doi: 10.1145/3471621.3473500.

Digital Library

[7]

Xue Cai and John Heidemann. 2010. Understanding block-level address usage in the visible internet. In Proceedings of the ACM SIGCOMM 2010 Conference (SIGCOMM '10). Association for Computing Machinery, New Delhi, India, 99--110. isbn: 9781450302012. doi: 10.1145/1851182.1851196.

Digital Library

[8]

Dvir Cohen, Yisroel Mirsky, Manuel Kamp, Tobias Martin, Yuval Elovici, Rami Puzis, and Asaf Shabtai. 2020. Dante: a framework for mining and monitoring darknet traffic. In Computer Security -- ESORICS 2020. Liqun Chen, Ninghui Li, Kaitai Liang, and Steve Schneider, (Eds.) Springer International Publishing, Cham, 88--109. isbn: 978-3-030-58951-6.

Digital Library

[9]

Michael Collins. 2022. Acknowledged scanners. https://gitlab.com/mcollins_at _isi/acknowledged_scanners (Last accessed: June 7th, 2022). (2022).

[10]

Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, and Manish Karir. 2014. Taming the 800 pound gorilla: the rise and decline of ntp ddos attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). ACM, Vancouver, BC, Canada, 435--448. isbn: 978-1-4503-3213-2. doi: 10.1145/2663716.2663717.

Digital Library

[11]

Jakub Czyz, Kyle Lady, Sam G. Miller, Michael Bailey, Michael Kallitsis, and Manish Karir. 2013. Understanding ipv6 internet background radiation. In Proceedings of the 2013 Conference on Internet Measurement Conference (IMC '13). Association for Computing Machinery, Barcelona, Spain, 105--118. isbn: 9781450319539. doi: 10.1145/2504730.2504732.

Digital Library

[12]

Alberto Dainotti, Karyn Benson, Alistair King, kc claffy kc, Michael Kallitsis, Eduard Glatz, and Xenofontas Dimitropoulos. 2014. Estimating internet address space usage through passive measurements. SIGCOMM Comput. Commun. Rev., 44, 1, (Dec. 2014), 42--49. doi: 10.1145/2567561.2567568.

Digital Library

[13]

Alberto Dainotti, Alistair King, kc Claffy, Ferdinando Papale, and Antonio Pescapè. 2012. Analysis of a ''/0'' stealth scan from a botnet. In Proceedings of the 2012 Internet Measurement Conference (IMC '12). Association for Computing Machinery, Boston, Massachusetts, USA, 1--14. isbn: 9781450317054. doi: 10.1145/2398776.2398778.

Digital Library

[14]

Alberto Dainotti, Claudio Squarcella, Emile Aben, Kimberly C. Claffy, Marco Chiesa, Michele Russo, and Antonio Pescapé. 2011. Analysis of country-wide internet outages caused by censorship. In Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference (IMC '11). Association for Computing Machinery, Berlin, Germany, 1--18. isbn: 9781450310130. doi: 10.1145/2068816.2068818.

Digital Library

[15]

Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A search engine backed by internet-wide scanning. In (CCS '15). Association for Computing Machinery, Denver, Colorado, USA, 542--553. isbn: 9781450338325. doi: 10.1145/2810103.2813703.

Digital Library

[16]

Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, and J. Alex Halderman. 2015. Neither snow nor rain nor mitm...: an empirical analysis of email delivery security. In (IMC '15). Association for Computing Machinery, Tokyo, Japan, 27--39. isbn: 9781450338486. doi: 10.1145/2815675.2815695.

Digital Library

[17]

Zakir Durumeric, Michael Bailey, and J Alex Halderman. 2014. An Internet-Wide view of Internet-Wide scanning. In 23rd USENIX Security Symposium (USENIX Security 14), 65--78.

[18]

Zakir Durumeric, James Kasten, Michael Bailey, and J. Alex Halderman. 2013. Analysis of the https certificate ecosystem. In Proceedings of the 2013 Conference on Internet Measurement Conference (IMC '13). Association for Computing Machinery, Barcelona, Spain, 291--304. isbn: 9781450319539. doi: 10.1145/2504730.2504755.

Digital Library

[19]

Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The matter of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). Association for Computing Machinery, Vancouver, BC, Canada, 475--488. isbn: 9781450332132. doi: 10.1145/2663716.2663755.

Digital Library

[20]

Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. Zmap: fast internet-wide scanning and its security applications. In 22nd USENIX Security Symposium (USENIX Security 13), 605--620.

[21]

Petros Gigis, Matt Calder, Lefteris Manassakis, George Nomikos, Vasileios Kotronis, Xenofontas Dimitropoulos, Ethan Katz-Bassett, and Georgios Smaragdakis. 2021. Seven years in the life of hypergiants' off-nets. In Proceedings of the 2021 ACM SIGCOMM 2021 Conference (SIGCOMM '21). Association for Computing Machinery, Virtual Event, USA, 516--533. isbn: 9781450383837. doi: 10.1145/3452296.3472928.

Digital Library

[22]

Robert Graham. [n. d.] MASSCAN: mass ip port scanner. https://github.com/robertdavidgraham/masscan. ().

[23]

2022. GreyNoise. https://www.greynoise.io/. (2022).

[24]

Andreas Guillot, Romain Fontugne, Philipp Winter, Pascal Merindol, Alistair King, Alberto Dainotti, and Cristel Pelsser. 2019. Chocolatine: outage detection for internet background radiation. In 2019 Network Traffic Measurement and Analysis Conference (TMA), 1--8. doi: 10.23919/TMA.2019.8784607.

[25]

Chansu Han, Jun'ichi Takeuchi, Takeshi Takahashi, and Daisuke Inoue. 2022. Dark-tracer: early detection framework for malware activity based on anomalous spatiotemporal patterns. IEEE Access, 10, 13038--13058. doi: 10.1109/ACCESS.2022.3145966.

[26]

John S. Heidemann, Lin Quan, and Yuri Pradkin. 2012. A preliminary analysis of network outages during hurricane sandy. In.

[27]

Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2012. Mining your ps and qs: detection of widespread weak keys in network devices. In (Security '12). USENIX Association, Bellevue, WA, 35.

[28]

Raphael Hiesgen, Marcin Nawrocki, Alistair King, Alberto Dainotti, Thomas C Schmidt, and Matthias Wählisch. 2022. Spoki: unveiling a new wave of scanners through a reactive network telescope. In 31st USENIX Security Symposium (USENIX Security 22), 431--448.

[29]

Liz Izhikevich, Gautam Akiwate, Briana Berger, Spencer Drakontaidis, Anna Ascheman, Paul Pearce, David Adrian, and Zakir Durumeric. 2022. Zdns: a fast dns toolkit for internet measurement. In (IMC '22). Association for Computing Machinery, Nice, France, 33--43. isbn: 9781450392594. doi: 10.1145/3517745.3561434.

Digital Library

[30]

Liz Izhikevich, Renata Teixeira, and Zakir Durumeric. 2021. LZR: identifying unexpected internet services. In 30th USENIX Security Symposium (USENIX Security 21), 3111--3128.

[31]

Mattijs Jonker, Alistair King, Johannes Krupp, Christian Rossow, Anna Sperotto, and Alberto Dainotti. 2017. Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Proceedings of the 2017 Internet Measurement Conference (IMC '17). Association for Computing Machinery, London, United Kingdom, 100--113. isbn: 9781450351188. doi: 10.1145/3131365.3131383.

Digital Library

[32]

Andreas Klopsch, Chris Dietrich, and Raphael Springer. 2020. A detailed look into the Mozi P2P IoT botnet. https://www.botconf.eu/botconf-2020/schedule/. (2020).

[33]

Thomas Krenc, Oliver Hohlfeld, and Anja Feldmann. 2014. An internet census taken by an illegal botnet: a qualitative assessment of published measurements. 44, 3, (July 2014), 103--111. doi: 10.1145/2656877.2656893.

Digital Library

[34]

Vector Guo Li, Matthew Dunn, Paul Pearce, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. 2019. Reading the tea leaves: a comparative analysis of threat intelligence. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, (Aug. 2019), 851--867. isbn: 978--1--939133- 06--9. https://www.usenix.org/conference/usenixsecurity19/presentation/li.

[35]

Artur Marzano, David Alexander, Osvaldo Fonseca, Elverton Fazzion, Cristine Hoepers, Klaus Steding-Jessen, Marcelo H. P. C. Chaves, Italo Cunha, Dorgival Guedes, and Wagner Meira. 2018. The evolution of bashlite and mirai iot botnets. In 2018 IEEE Symposium on Computers and Communications (ISCC), 00813--00818. doi: 10.1109/ISCC.2018.8538636.

[36]

Merit Network, Inc. 2022. ORION: Observatory for Cyber-Risk Insights and Outages of Networks. https://github.com/Merit-Research/darknet-events/wiki/ORION-Network-Telescope. (2022).

[37]

A. Mirian, Z. Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley, R. Berthier, J. Mason, Z. Durumeric, J. A. Halderman, and M. Bailey. 2016. An internet-wide view of ics devices. In 2016 14th Annual Conference on Privacy, Security and Trust (PST). (Dec. 2016), 96--103. doi: 10.1109/PST.2016.7906943.

[38]

D. Moore, C. Shannon, G. Voelker, and S. Savage. 2004. Network Telescopes: Technical Report. Tech. rep. Cooperative Association for Internet Data Analysis (CAIDA), (July 2004).

[39]

David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage. 2006. Inferring internet denial-of-service activity. ACM Trans. Comput. Syst., 24, 2, (May 2006), 115--139. doi: 10.1145/1132026.1132027.

Digital Library

[40]

Giovane C. M. Moura, Carlos Gañán, Qasim Lone, Payam Poursaied, Hadi Asghari, and Michel van Eeten. 2015. How dynamic is the isps address space? towards internet-wide dhcp churn estimation. In 2015 IFIP Networking Conference (IFIP Networking), 1--9. doi: 10.1109/IFIPNetworking.2015.7145335.

[41]

Ramakrishna Padmanabhan, Arturo Filastò, Maria Xynou, Ram Sundara Raman, Kennedy Middleton, Mingwei Zhang, Doug Madory, Molly Roberts, and Alberto Dainotti. 2021. A multi-perspective view of internet censorship in myanmar. In Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet (FOCI '21). Association for Computing Machinery, Virtual Event, USA, 27--36. isbn: 9781450386401. doi: 10.1145/3473604.3474562.

Digital Library

[42]

Ramakrishna Padmanabhan, Aaron Schulman, Alberto Dainotti, Dave Levin, and Neil Spring. 2019. How to find correlated internet failures. In Passive and Active Measurement. David Choffnes and Marinho Barcellos, (Eds.) Springer International Publishing, Cham, 210--227. isbn: 978-3-030-15986-3.

[43]

Paul Pearce, Roya Ensafi, Frank Li, Nick Feamster, and Vern Paxson. 2017. Augur: internet-wide detection of connectivity disruptions. In 2017 IEEE Symposium on Security and Privacy (SP), 427--443. doi: 10.1109/SP.2017.55.

[44]

Lin Quan, John Heidemann, and Yuri Pradkin. 2012. Detecting internet outages with precise active probing (extended). USC/Information Sciences Institute, Tech. Rep.

[45]

Philipp Richter and Arthur Berger. 2019. Scanning the scanners: sensing the internet from a massively distributed network telescope. In Proceedings of the Internet Measurement Conference, 144--157.

Digital Library

[46]

Philipp Richter, Oliver Gasser, and Arthur Berger. 2022. Illuminating largescale ipv6 scanning in the internet. In (IMC '22). Association for Computing Machinery, Nice, France, 410--418. isbn: 9781450392594. doi: 10.1145/3517745.3561452.

Digital Library

[47]

Morteza Safaei Pour, Elias Bou-Harb, Kavita Varma, Nataliia Neshenko, Dimitris A. Pados, and Kim-Kwang Raymond Choo. 2019. Comprehending the iot cyber threat landscape: a data dimensionality reduction technique to infer and characterize internet-scale iot probing campaigns. Digit. Investig., 28, S, (Apr. 2019), S40--S49. doi: 10.1016/j.diin.2019.01.014.

Digital Library

[48]

George Arnold Sullivan, Jackson Sippe, Nadia Heninger, and Eric Wustrow. 2022. Open to a fault: on the passive compromise of TLS keys via transient errors. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, (Aug. 2022), 233--250. isbn: 978-1-939133-31-1. https://www.usenix.org/conference/usenixsecurity22/presentation/sullivan.

[49]

Ram Sundara Raman, Prerana Shenoy, Katharina Kohls, and Roya Ensafi. 2020. Censored planet: an internet-wide, longitudinal censorship observatory. In (CCS '20). Association for Computing Machinery, Virtual Event, USA, 49--66. isbn: 9781450370899. doi: 10.1145/3372297.3417883.

Digital Library

[50]

Kurt Thomas, Rony Amira, Adi Ben-Yoash, Ori Folger, Amir Hardon, Ari Berger, Elie Bursztein, and Michael Bailey. 2016. The abuse sharing economy: understanding the limits of threat exchanges. In Research in Attacks, Intrusions, and Defenses. Fabian Monrose, Marc Dacier, Gregory Blanc, and Joaquin Garcia-Alfaro, (Eds.) Springer International Publishing, Cham, 143--164. isbn: 978-3-319-45719-2.

[51]

Eric Wustrow, Manish Karir, Michael Bailey, Farnam Jahanian, and Geoff Huston. 2010. Internet background radiation revisited. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement, 62--74.

Digital Library

Cited By

Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012
Griffioen HKoursiounis GSmaragdakis GDoerr CVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Have you SYN me? Characterizing Ten Years of Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688409(149-164)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688409
Velayudham APriya M(2024)Dynamic adaptation of scan rates for efficient and congestion-aware internet-wide scanning in IoT securityEvolving Systems10.1007/s12530-024-09631-316:1Online publication date: 25-Nov-2024
https://doi.org/10.1007/s12530-024-09631-3

Index Terms

Aggressive Internet-Wide Scanners: Network Impact and Longitudinal Characterization
1. Networks
  1. Network performance evaluation
    1. Network measurement
2. Security and privacy
  1. Network security

Recommendations

A Search Engine Backed by Internet-Wide Scanning
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Fast Internet-wide scanning has opened new avenues for security research, ranging from uncovering widespread vulnerabilities in random number generators to tracking the evolving impact of Heartbleed. However, this technique still requires significant ...
Illuminating large-scale IPv6 scanning in the internet
IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

While scans of the IPv4 space are ubiquitous, today little is known about scanning activity in the IPv6 Internet. In this work, we present a longitudinal and detailed empirical study on large-scale IPv6 scanning behavior in the Internet, based on ...
Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope
IMC '19: Proceedings of the Internet Measurement Conference

Scanning of hosts on the Internet to identify vulnerable devices and services is a key component in many of today's cyberattacks. Tracking this scanning activity, in turn, provides an excellent signal to assess the current state-of-affairs for many ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CoNEXT 2023: Companion of the 19th International Conference on emerging Networking EXperiments and Technologies

December 2023

80 pages

ISBN:9798400704079

DOI:10.1145/3624354

General Chairs:
Dario Rossi
Huawei Technologies
,
Stefano Secci
CNAM
,
Program Chairs:
Olivier Bonaventure
UCLouvain
,
Lili Qiu
Microsoft Research Asia and University of Texas, Austin

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2023

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Conference

CoNEXT 2023

Sponsor:

SIGCOMM

CoNEXT 2023: The 19th International Conference on emerging Networking EXperiments and Technologies

December 5 - 8, 2023

Paris, France

Acceptance Rates

Overall Acceptance Rate 198 of 789 submissions, 25%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
639
Total Downloads

Downloads (Last 12 months)639
Downloads (Last 6 weeks)98

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012
Griffioen HKoursiounis GSmaragdakis GDoerr CVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Have you SYN me? Characterizing Ten Years of Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688409(149-164)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688409
Velayudham APriya M(2024)Dynamic adaptation of scan rates for efficient and congestion-aware internet-wide scanning in IoT securityEvolving Systems10.1007/s12530-024-09631-316:1Online publication date: 25-Nov-2024
https://doi.org/10.1007/s12530-024-09631-3

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents