an internet-wide view of internet-wide scanning. scanning ipv4 horizontal scanning – individual...
TRANSCRIPT
![Page 1: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/1.jpg)
An Internet-Wide View of Internet-Wide Scanning
![Page 2: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/2.jpg)
Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet
What is internet wide scanning?
![Page 3: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/3.jpg)
Used to take months! But then ZMap and Masscan What are they?
Ipv4 scanners 5 minutes … with 10gbs connections
Their impact?
How is this done?
![Page 4: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/4.jpg)
Pang et al, 2004, one of the first comprehensive analyses of Internet background radiation. Covered many aspects of background traffic,
including the most frequently scanned protocols
However, the scanning landscape has changed drastically in the last decade
Previous work
![Page 5: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/5.jpg)
Wustrow et al, 2010, studied Internet background radiation Increase in scan traffic destined for SSH
(TCP/22) Increased scanning activity targeting port 445
(SMB over IP) in 2009 due to Conficker Telnet (TCP/23) in 2007
Previous work
![Page 6: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/6.jpg)
Moore et al. and Cooke et al, The dynamics of performing studies on IPv4 darknet traffic Utilize both studies when performing
calculations
Previous work
![Page 7: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/7.jpg)
Analysed traffic received by a large darknet over a 16-month period
Excluding Conficker, almost 80% of scan traffic originates from large scans targeting >1% of the IPv4 address space
Many scans are being conducted by academic researchers
A large portion of all scanning targets services associated with vulnerabilities (e.g. Microsoft RDP, SQL Server)
The majority of scanning is completed from bullet-proof hosting providers or from China
Take out later
![Page 8: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/8.jpg)
A darknet January 1, 2013 to May 1, 2014 5.5 million addresses, 0.145% of the public
IPv4 address space Received an average of 1.4 billion packets, or
55 GB of traffic, per day Defined a scan as: a source address contacted
at least 100 unique addresses in our darknet on the same port
Dataset
![Page 9: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/9.jpg)
In ZMap, the IP identification field is statically set to 54321
Masscan : ip_id = dst_addr⊕dst_port⊕tcp_seqnum
Fingerprinting scanners
![Page 10: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/10.jpg)
Detected 10.8 million scans from 1.76 million hosts during January 2014
4.5 million (41.7%) are TCP SYN scans targeting less than 1% of the IPv4 address space on port 445
56.4% TCP SYN packets, 35.0% UDP packets, and 8.6% ICMP echo request packets
Only 17,918 scans (0.28%) targeted more than 1% of the address space, 2,699 (0.04%) targeted more than 10%, and 614 (0.01%) targeted more than 50%
Scan Dynamics
![Page 11: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/11.jpg)
Close to half of all scan traffic (48.9%) targets NetBIOS (TCP/445)
95.1% originate from small scans SSH is the most targeted service in large
scans
Targeted services
![Page 12: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/12.jpg)
77% of scans and 76% of probe packets originate from China.
Scan Sources
![Page 13: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/13.jpg)
Weren’t used in a majority of scans less than 10%
~25% of scans for more than 50% more than 90% of scans operate at under
100 Mbps, and over 70% are operated at under 10 Mbps
ZMap and Masscan Usage
![Page 14: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/14.jpg)
December 2013 Eloi Vanderbeken Backdoor in home and small business
routers Full, unauthenticated, remote access to
routers over an undocumented ephemeral port, TCP/32764.
Scan traffic was not from a large number of distributed botnets hosts, but rather a small number of high-speed scanners
Linksys Backdoor
![Page 15: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/15.jpg)
Vulnerability in the OpenSSL cryptographic library.
Publicly disclosed on April 7, 2014. Allows attackers to remotely dump arbitrary
private data. Scan traffic was more than doubled for
several days following the public disclosure. Within 24 hours of the vulnerability release,
scanning began from China
Heartbleed Vulnerability
![Page 16: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/16.jpg)
Network Time Protocol (UDP/123) is a protocol that allows servers to synchronize time.
Traffic from NTP servers began to rise around December 8, 2013 .
In February 2014, attackers attempted to DDoS a Cloudflare customer with over 400 Gbps of NTP traffic
One of the IPs hosts a website for the “Openbomb Drone Project” and also hosts the website http://ra.pe;
Another one of the IPs hosts a site stating “#yolo”; one server had a reverse PTR record of “lulz”.
NTP DDoS Attacks
![Page 17: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/17.jpg)
Drop traffic from repeat scanners Report perceived network misuse Lack of attention paints a dismal picture of
current defensive measures University of Michigan: 3rd most aggressive
scanner 0.05% of the IP space is inaccessible 208 organizations requested that their
networks be excluded from scans
Defensive Measures
![Page 18: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/18.jpg)
Did some scanning Came up with a lot of numbers Compared them to previous work Implications of recent changes in scanning
behaviour for researchers and network operators
Conclusion
![Page 19: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/19.jpg)
Just a lot of data, no real conclusions Data set : “ For non-temporal analyses, we
focus on January 2014.” IPv6 scanning Vertical scanning Exclusion standards Determining intent Understanding defensive reactions
Criticism
![Page 20: An Internet-Wide View of Internet-Wide Scanning. Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet What is internet](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f455503460f94c66b69/html5/thumbnails/20.jpg)
Questions?
Thank you