Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > publications : papers : 2012 : analysis_slash_zero
Analysis of a "/0" Stealth Scan from a Botnet

A version of this paper was later published in 2014 to IEEE/ACM Transactions on Networking (ToN).

A. Dainotti, A. King, K. Claffy, F. Papale, and A. Pescapè, “Analysis of a "/0" Stealth Scan from a Botnet'', Nov 2012, pp. 1--14.
|  View full paper:    DOI    PDF    Related Presentation (video)    Supplemental Data    |  View citation:    BibTeX  |

Analysis of a "/0" Stealth Scan from a Botnet

Alberto Dainotti 1
Alistair King 1
Kimberly Claffy 1
Ferdinando Papale 2
Antonio Pescapè 2
1

CAIDA,San Diego Supercomputer Center,University of California, San Diego

2

University of Napoli Federico II,
Napoli, Italy

Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial of service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February of last year. This 12-day scan originated from approximately 3 million distinct IP addresses, and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers, its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This work offers a detailed dissection of the botnet’s scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.

  Last Modified: Mon Oct-13-2014 16:36:34 PDT
  Page URL: http://www.caida.org/publications/papers/2012/analysis_slash_zero/index.xml