Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > publications : papers : 2015 : how_dangerous_internet_scanning
How Dangerous Is Internet Scanning? A Measurement Study of the Aftermath of an Internet-Wide Scan
E. Raftopoulos, E. Glatz, X. Dimitropoulos, and A. Dainotti, "How Dangerous Is Internet Scanning? A Measurement Study of the Aftermath of an Internet-Wide Scan", in Traffic Monitoring and Analysis Workshop (TMA), Apr 2015, vol. 9053, pp. 158--172.
|   View full paper:    PDF    DOI    |  Citation:    BibTeX   |

How Dangerous Is Internet Scanning? A Measurement Study of the Aftermath of an Internet-Wide Scan

Elias Raftopoulos2
Eduard Glatz3
Xenofontas Dimitropoulos3, 4
Alberto Dainotti1
1

CAIDA, San Diego Supercomputer Center, University of California San Diego

2

Computer Science and Artificial Intelligence Laboratory - CSAIL, Massachusetts Institute of Technology

3

ETH Zurich

4

FORTH-ICS

Internet scanning is a de facto background traffic noise that is not clear if it poses a dangerous threat, i.e., what happens to scanned hosts? what is the success rate of scanning? and whether the problem is worth investing significant effort and money on mitigating it, e.g., by filtering unwanted traffic? In this work we take a first look into Internet scanning from the point of view of scan repliers using a unique combination of data sets which allows us to estimate how many hosts replied to scanners and whether they were subsequently attacked in an actual network. To contain our analysis, we focus on a specific interesting scanning event that was orchestrated by the Sality botnet during February 2011 which scanned the entire IPv4 address space. By analyzing unsampled NetFlow records, we show that 2% of the scanned hosts actually replied to the scanners. Moreover, by correlating scan replies with IDS alerts from the same network, we show that significant exploitation activity followed towards the repliers, which eventually led to an estimated 8% of compromised repliers. These observations suggest that Internet scanning is dangerous: in our university network, at least 142 scanned hosts were eventually compromised. World-wide, the number of hosts that were compromised in response to the studied event is likely much larger.

Keywords: measurement methodology, network telescope, security
  Last Modified: Wed Oct-11-2017 17:04:05 PDT
  Page URL: http://www.caida.org/publications/papers/2015/how_dangerous_internet_scanning/index.xml