an internet-wide view of internet-wide scanning. scanning ipv4 horizontal scanning – individual...
TRANSCRIPT
An Internet-Wide View of Internet-Wide Scanning
Scanning IPv4 Horizontal scanning – individual ports Network telescope - darknet
What is internet wide scanning?
Used to take months! But then ZMap and Masscan What are they?
Ipv4 scanners 5 minutes … with 10gbs connections
Their impact?
How is this done?
Pang et al, 2004, one of the first comprehensive analyses of Internet background radiation. Covered many aspects of background traffic,
including the most frequently scanned protocols
However, the scanning landscape has changed drastically in the last decade
Previous work
Wustrow et al, 2010, studied Internet background radiation Increase in scan traffic destined for SSH
(TCP/22) Increased scanning activity targeting port 445
(SMB over IP) in 2009 due to Conficker Telnet (TCP/23) in 2007
Previous work
Moore et al. and Cooke et al, The dynamics of performing studies on IPv4 darknet traffic Utilize both studies when performing
calculations
Previous work
Analysed traffic received by a large darknet over a 16-month period
Excluding Conficker, almost 80% of scan traffic originates from large scans targeting >1% of the IPv4 address space
Many scans are being conducted by academic researchers
A large portion of all scanning targets services associated with vulnerabilities (e.g. Microsoft RDP, SQL Server)
The majority of scanning is completed from bullet-proof hosting providers or from China
Take out later
A darknet January 1, 2013 to May 1, 2014 5.5 million addresses, 0.145% of the public
IPv4 address space Received an average of 1.4 billion packets, or
55 GB of traffic, per day Defined a scan as: a source address contacted
at least 100 unique addresses in our darknet on the same port
Dataset
In ZMap, the IP identification field is statically set to 54321
Masscan : ip_id = dst_addr⊕dst_port⊕tcp_seqnum
Fingerprinting scanners
Detected 10.8 million scans from 1.76 million hosts during January 2014
4.5 million (41.7%) are TCP SYN scans targeting less than 1% of the IPv4 address space on port 445
56.4% TCP SYN packets, 35.0% UDP packets, and 8.6% ICMP echo request packets
Only 17,918 scans (0.28%) targeted more than 1% of the address space, 2,699 (0.04%) targeted more than 10%, and 614 (0.01%) targeted more than 50%
Scan Dynamics
Close to half of all scan traffic (48.9%) targets NetBIOS (TCP/445)
95.1% originate from small scans SSH is the most targeted service in large
scans
Targeted services
77% of scans and 76% of probe packets originate from China.
Scan Sources
Weren’t used in a majority of scans less than 10%
~25% of scans for more than 50% more than 90% of scans operate at under
100 Mbps, and over 70% are operated at under 10 Mbps
ZMap and Masscan Usage
December 2013 Eloi Vanderbeken Backdoor in home and small business
routers Full, unauthenticated, remote access to
routers over an undocumented ephemeral port, TCP/32764.
Scan traffic was not from a large number of distributed botnets hosts, but rather a small number of high-speed scanners
Linksys Backdoor
Vulnerability in the OpenSSL cryptographic library.
Publicly disclosed on April 7, 2014. Allows attackers to remotely dump arbitrary
private data. Scan traffic was more than doubled for
several days following the public disclosure. Within 24 hours of the vulnerability release,
scanning began from China
Heartbleed Vulnerability
Network Time Protocol (UDP/123) is a protocol that allows servers to synchronize time.
Traffic from NTP servers began to rise around December 8, 2013 .
In February 2014, attackers attempted to DDoS a Cloudflare customer with over 400 Gbps of NTP traffic
One of the IPs hosts a website for the “Openbomb Drone Project” and also hosts the website http://ra.pe;
Another one of the IPs hosts a site stating “#yolo”; one server had a reverse PTR record of “lulz”.
NTP DDoS Attacks
Drop traffic from repeat scanners Report perceived network misuse Lack of attention paints a dismal picture of
current defensive measures University of Michigan: 3rd most aggressive
scanner 0.05% of the IP space is inaccessible 208 organizations requested that their
networks be excluded from scans
Defensive Measures
Did some scanning Came up with a lot of numbers Compared them to previous work Implications of recent changes in scanning
behaviour for researchers and network operators
Conclusion
Just a lot of data, no real conclusions Data set : “ For non-temporal analyses, we
focus on January 2014.” IPv6 scanning Vertical scanning Exclusion standards Determining intent Understanding defensive reactions
Criticism
Questions?
Thank you