How Dangerous Is Internet Scanning? - Traffic Monitoring and Analysis
Conference Papers Year : 2015

How Dangerous Is Internet Scanning?

Abstract

Internet scanning is a de facto background traffic noise that is not clear if it poses a dangerous threat, i.e., what happens to scanned hosts? what is the success rate of scanning? and whether the problem is worth investing significant effort and money on mitigating it, e.g., by filtering unwanted traffic? In this work we take a first look into Internet scanning from the point of view of scan repliers using a unique combination of data sets which allows us to estimate how many hosts replied to scanners and whether they were subsequently attacked in an actual network. To contain our analysis, we focus on a specific interesting scanning event that was orchestrated by the Sality botnet during February 2011 which scanned the entire IPv4 address space. By analyzing unsampled NetFlow records, we show that 2 % of the scanned hosts actually replied to the scanners. Moreover, by correlating scan replies with IDS alerts from the same network, we show that significant exploitation activity followed towards the repliers, which eventually led to an estimated 8 % of compromised repliers. These observations suggest that Internet scanning is dangerous: in our university network, at least 142 scanned hosts were eventually compromised. World-wide, the number of hosts that were compromised in response to the studied event is likely much larger.
Fichier principal
Vignette du fichier
336978_1_En_11_Chapter.pdf (1.22 Mo) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01411192 , version 1 (07-12-2016)

Licence

Identifiers

Cite

Elias Raftopoulos, Eduard Glatz, Xenofontas Dimitropoulos, Alberto Dainotti. How Dangerous Is Internet Scanning?. 7th Workshop on Traffic Monitoring and Analysis (TMA), Apr 2015, Barcelona, Spain. pp.158-172, ⟨10.1007/978-3-319-17172-2_11⟩. ⟨hal-01411192⟩
79 View
242 Download

Altmetric

Share

More