Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Internet-Wide View of Internet-Wide Scanning.  Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet.

Published byCody Virgil Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "An Internet-Wide View of Internet-Wide Scanning.  Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet."— Presentation transcript:

1 An Internet-Wide View of Internet-Wide Scanning

2  Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet wide scanning?

3  Used to take months!  But then ZMap and Masscan  What are they?  Ipv4 scanners  5 minutes … with 10gbs connections  Their impact? How is this done?

4  Pang et al, 2004, one of the first comprehensive analyses of Internet background radiation.  Covered many aspects of background traffic, including the most frequently scanned protocols  However, the scanning landscape has changed drastically in the last decade Previous work

5  Wustrow et al, 2010, studied Internet background radiation  Increase in scan traffic destined for SSH (TCP/22)  Increased scanning activity targeting port 445 (SMB over IP) in 2009 due to Conficker  Telnet (TCP/23) in 2007 Previous work

6  Moore et al. and Cooke et al, The dynamics of performing studies on IPv4 darknet traffic  Utilize both studies when performing calculations Previous work

7  Analysed traffic received by a large darknet over a 16- month period  Excluding Conficker, almost 80% of scan traffic originates from large scans targeting >1% of the IPv4 address space  Many scans are being conducted by academic researchers  A large portion of all scanning targets services associated with vulnerabilities (e.g. Microsoft RDP, SQL Server)  The majority of scanning is completed from bullet-proof hosting providers or from China Take out later

8  A darknet  January 1, 2013 to May 1, 2014  5.5 million addresses, 0.145% of the public IPv4 address space  Received an average of 1.4 billion packets, or 55 GB of traffic, per day  Defined a scan as: a source address contacted at least 100 unique addresses in our darknet on the same port Dataset

9  In ZMap, the IP identification field is statically set to 54321  Masscan : ip_id = dst_addr ⊕ dst_port ⊕ tcp_seqnum Fingerprinting scanners

10  Detected 10.8 million scans from 1.76 million hosts during January 2014  4.5 million (41.7%) are TCP SYN scans targeting less than 1% of the IPv4 address space on port 445  56.4% TCP SYN packets, 35.0% UDP packets, and 8.6% ICMP echo request packets  Only 17,918 scans (0.28%) targeted more than 1% of the address space, 2,699 (0.04%) targeted more than 10%, and 614 (0.01%) targeted more than 50% Scan Dynamics

11  Close to half of all scan traffic (48.9%) targets NetBIOS (TCP/445)  95.1% originate from small scans  SSH is the most targeted service in large scans Targeted services

12  77% of scans and 76% of probe packets originate from China. Scan Sources

13  Weren’t used in a majority of scans less than 10%  ~25% of scans for more than 50%  more than 90% of scans operate at under 100 Mbps, and over 70% are operated at under 10 Mbps ZMap and Masscan Usage

14  December 2013  Eloi Vanderbeken  Backdoor in home and small business routers  Full, unauthenticated, remote access to routers over an undocumented ephemeral port, TCP/32764.  Scan traffic was not from a large number of distributed botnets hosts, but rather a small number of high-speed scanners Linksys Backdoor

15  Vulnerability in the OpenSSL cryptographic library.  Publicly disclosed on April 7, 2014.  Allows attackers to remotely dump arbitrary private data.  Scan traffic was more than doubled for several days following the public disclosure.  Within 24 hours of the vulnerability release, scanning began from China Heartbleed Vulnerability

16  Network Time Protocol (UDP/123) is a protocol that allows servers to synchronize time.  Traffic from NTP servers began to rise around December 8, 2013.  In February 2014, attackers attempted to DDoS a Cloudflare customer with over 400 Gbps of NTP traffic  One of the IPs hosts a website for the “Openbomb Drone Project” and also hosts the website http://ra.pe;http://ra.pe  Another one of the IPs hosts a site stating “#yolo”; one server had a reverse PTR record of “lulz”. NTP DDoS Attacks

17  Drop traffic from repeat scanners  Report perceived network misuse  Lack of attention paints a dismal picture of current defensive measures  University of Michigan: 3 rd most aggressive scanner  0.05% of the IP space is inaccessible  208 organizations requested that their networks be excluded from scans Defensive Measures

18  Did some scanning  Came up with a lot of numbers  Compared them to previous work  Implications of recent changes in scanning behaviour for researchers and network operators Conclusion

19  Just a lot of data, no real conclusions  Data set : “ For non-temporal analyses, we focus on January 2014.”  IPv6 scanning  Vertical scanning  Exclusion standards  Determining intent  Understanding defensive reactions Criticism

20 Questions? Thank you

Download ppt "An Internet-Wide View of Internet-Wide Scanning.  Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet."

Similar presentations

A First Look at Modern Enterprise Traffic

A First Look at Modern Enterprise Traffic
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.

1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore.

Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore.
IPv6 Background Radiation Geoff Huston APNIC R&D.

IPv6 Background Radiation Geoff Huston APNIC R&D.
Statistical Analysis of Malformed Packets and Their Origins in the Modern Internet NETREAD UC Berkeley George Porter Oct 4, 2002.

Statistical Analysis of Malformed Packets and Their Origins in the Modern Internet NETREAD UC Berkeley George Porter Oct 4, 2002.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Subnetting.

Subnetting.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.

Similar presentations

Ads by Google