An Internet-Wide View of Internet-Wide Scanning

 Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet wide scanning?

 Used to take months!  But then ZMap and Masscan  What are they?  Ipv4 scanners  5 minutes … with 10gbs connections  Their impact? How is this done?

 Pang et al, 2004, one of the first comprehensive analyses of Internet background radiation.  Covered many aspects of background traffic, including the most frequently scanned protocols  However, the scanning landscape has changed drastically in the last decade Previous work

 Wustrow et al, 2010, studied Internet background radiation  Increase in scan traffic destined for SSH (TCP/22)  Increased scanning activity targeting port 445 (SMB over IP) in 2009 due to Conficker  Telnet (TCP/23) in 2007 Previous work

 Moore et al. and Cooke et al, The dynamics of performing studies on IPv4 darknet traffic  Utilize both studies when performing calculations Previous work

 Analysed traffic received by a large darknet over a 16- month period  Excluding Conficker, almost 80% of scan traffic originates from large scans targeting >1% of the IPv4 address space  Many scans are being conducted by academic researchers  A large portion of all scanning targets services associated with vulnerabilities (e.g. Microsoft RDP, SQL Server)  The majority of scanning is completed from bullet-proof hosting providers or from China Take out later

 A darknet  January 1, 2013 to May 1, 2014  5.5 million addresses, 0.145% of the public IPv4 address space  Received an average of 1.4 billion packets, or 55 GB of traffic, per day  Defined a scan as: a source address contacted at least 100 unique addresses in our darknet on the same port Dataset

 In ZMap, the IP identification field is statically set to  Masscan : ip_id = dst_addr ⊕ dst_port ⊕ tcp_seqnum Fingerprinting scanners

 Detected 10.8 million scans from 1.76 million hosts during January 2014  4.5 million (41.7%) are TCP SYN scans targeting less than 1% of the IPv4 address space on port 445  56.4% TCP SYN packets, 35.0% UDP packets, and 8.6% ICMP echo request packets  Only 17,918 scans (0.28%) targeted more than 1% of the address space, 2,699 (0.04%) targeted more than 10%, and 614 (0.01%) targeted more than 50% Scan Dynamics

 Close to half of all scan traffic (48.9%) targets NetBIOS (TCP/445)  95.1% originate from small scans  SSH is the most targeted service in large scans Targeted services

 77% of scans and 76% of probe packets originate from China. Scan Sources

 Weren’t used in a majority of scans less than 10%  ~25% of scans for more than 50%  more than 90% of scans operate at under 100 Mbps, and over 70% are operated at under 10 Mbps ZMap and Masscan Usage

 December 2013  Eloi Vanderbeken  Backdoor in home and small business routers  Full, unauthenticated, remote access to routers over an undocumented ephemeral port, TCP/  Scan traffic was not from a large number of distributed botnets hosts, but rather a small number of high-speed scanners Linksys Backdoor

 Vulnerability in the OpenSSL cryptographic library.  Publicly disclosed on April 7,  Allows attackers to remotely dump arbitrary private data.  Scan traffic was more than doubled for several days following the public disclosure.  Within 24 hours of the vulnerability release, scanning began from China Heartbleed Vulnerability

 Network Time Protocol (UDP/123) is a protocol that allows servers to synchronize time.  Traffic from NTP servers began to rise around December 8,  In February 2014, attackers attempted to DDoS a Cloudflare customer with over 400 Gbps of NTP traffic  One of the IPs hosts a website for the “Openbomb Drone Project” and also hosts the website  Another one of the IPs hosts a site stating “#yolo”; one server had a reverse PTR record of “lulz”. NTP DDoS Attacks

 Drop traffic from repeat scanners  Report perceived network misuse  Lack of attention paints a dismal picture of current defensive measures  University of Michigan: 3 rd most aggressive scanner  0.05% of the IP space is inaccessible  208 organizations requested that their networks be excluded from scans Defensive Measures

 Did some scanning  Came up with a lot of numbers  Compared them to previous work  Implications of recent changes in scanning behaviour for researchers and network operators Conclusion

 Just a lot of data, no real conclusions  Data set : “ For non-temporal analyses, we focus on January 2014.”  IPv6 scanning  Vertical scanning  Exclusion standards  Determining intent  Understanding defensive reactions Criticism

Questions? Thank you