Profiling internet scanners: Spatiotemporal structures and measurement ethics

Scanning is ubiquitous on the Internet. It assists administrators to troubleshoot their own network, researchers to survey the Internet, and malicious actors to assess the attack surface of targeted networks. As users requirements vary, scans in the wild exhibit very diverse characteristics. For example, the coverage, stealthiness and probing speed are drastically varying from one scanning IP to another. In this paper, we study 15 years of backbone traffic to understand the evolution of mass-scanning tool usage, scanning pattern and the concentration of scanning IPs (also called scanners) in small networks. We also propose a new method to classify scanning IPs' spatial and temporal structure into three profiles that reveal vastly different intent. In particular, we find that 33% of scanners repeatedly target the same set of hosts. If unsolicited, identifying this behavior provides good insights on the malicious intent of scanners. In the case of innocuous scanners, publicly documenting scanning activities and giving right to opt out are common ethical practices. Our study shows that documented scanning IPs behave differently from the vast majority of scanners. Furthermore, only 39% of these entities follow online documentation best practices.

[1]  Dmitri Loguinov,et al.  Stochastic analysis of horizontal IP scanning , 2012, 2012 Proceedings IEEE INFOCOM.

[2]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[3]  Vern Paxson,et al.  A brief history of scanning , 2007, IMC '07.

[4]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[5]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  Xenofontas A. Dimitropoulos,et al.  Classifying internet one-way traffic , 2012, Internet Measurement Conference.

[7]  Mourad Debbabi,et al.  On fingerprinting probing activities , 2014, Comput. Secur..

[8]  Christopher Leckie,et al.  Characterising the Evolution in Scanning Activity of Suspicious Hosts , 2009, 2009 Third International Conference on Network and System Security.

[9]  Dmitri Loguinov,et al.  Demystifying Internet-Wide Service Discovery , 2013, IEEE/ACM Transactions on Networking.

[10]  Kensuke Fukuda,et al.  MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking , 2010, CoNEXT.

[11]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[12]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[13]  Mark Allman,et al.  Addressing Ethical Considerations in Network Measurement Papers: Abstract , 2015, NS Ethics@SIGCOMM.

[14]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[15]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[16]  Kensuke Fukuda,et al.  Counting NATted hosts by observing TCP/IP field behaviors , 2012, 2012 IEEE International Conference on Communications (ICC).

[17]  Nevil Brownlee One-Way Traffic Monitoring with iatmon , 2012, PAM.

[18]  Vern Paxson,et al.  Towards Situational Awareness of Large-Scale Botnet Probing Events , 2011, IEEE Transactions on Information Forensics and Security.

[19]  Jugal K. Kalita,et al.  Surveying Port Scans and Their Detection Methodologies , 2011, Comput. J..

[20]  Kensuke Fukuda,et al.  A taxonomy of anomalies in backbone network traffic , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[21]  Paul C. van Oorschot,et al.  Network scan detection with LQS: a lightweight, quick and stateful algorithm , 2011, ASIACCS '11.

[22]  A Dainotti,et al.  Analysis of a “/0” Stealth Scan From a Botnet , 2012, IEEE/ACM Transactions on Networking.

[23]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[24]  Benoit Donnet,et al.  Network fingerprinting: TTL-based router signatures , 2013, Internet Measurement Conference.

[25]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[26]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[27]  Kensuke Fukuda,et al.  Estimating Speed of Scanning Activities with a Hough Transform , 2010, 2010 IEEE International Conference on Communications.

[28]  M. Allman,et al.  Addressing Ethical Considerations in Network Measurement Papers , 2015 .