Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : papers : 2015 : analysis_slash_zero
Analysis of a "/0" Stealth Scan from a Botnet
A. Dainotti, A. King, K. Claffy, F. Papale, and A. Pescapè, "Analysis of a "/0" Stealth Scan from a Botnet", IEEE/ACM Transactions on Networking, vol. 23, no. 2, pp. 341--354, Apr 2015.

An earlier version of this paper was presented in the proceedings of the Internet Measurement Conference (IMC) in 2012.

|   View full paper:    PDF    Data Supplement    DOI    PDF (IMC version)    Related Presentation    Related Presentation (video)    |  Citation:    BibTeX    Resource Catalog   |

Analysis of a "/0" Stealth Scan from a Botnet

Alberto Dainotti1
Alistair King1
Kimberly Claffy1
Ferdinando Papale2
Antonio Pescapè2

CAIDA, San Diego Supercomputer Center, University of California San Diego


University of Napoli Federico II,
Napoli, Italy

Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial of service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February 2011. This 12-day scan originated from approximately 3 million distinct IP addresses, and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure.

We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers, its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This work offers a detailed dissection of the botnet‛s scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.

Keywords: measurement methodology, network telescope, security
  Last Modified: Tue Nov-17-2020 04:47:23 UTC
  Page URL: