Remote Identification of Port Scan Toolchains

Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor's modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.

[1]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[2]  Christian Doerr,et al.  Scan prediction and reconnaissance mitigation through commodity graphics cards , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[3]  Vinod Yegneswaran,et al.  Using Honeynets for Internet Situational Awareness , 2005 .

[4]  Vern Paxson,et al.  A brief history of scanning , 2007, IMC '07.

[5]  Cynthia Bailey Lee,et al.  Detection and Characterization of Port Scan Attacks , 2003 .

[6]  Vern Paxson,et al.  Detecting stealthy, distributed SSH brute-forcing , 2013, CCS.

[7]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[8]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.