Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope

by   Raphael Hiesgen, et al.

Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack, which remains invisible to network telescopes that only capture the first incoming packet and is not observed as a related event by honeypots. In this work, we examine Internet-wide scan traffic through Spoki, a reactive network telescope operating in real-time that we design and implement. Spoki responds to asynchronous TCP SYN packets and engages in TCP handshakes initiated in the second phase of two-phase scans. Because it is extremely lightweight it scales to large prefixes where it has the unique opportunity to record the first data sequence submitted within the TCP handshake ACK. We analyze two-phase scanners during a three months period using globally deployed Spoki reactive telescopes as well as flow data sets from IXPs and ISPs. We find that a predominant fraction of TCP SYNs on the Internet has irregular characteristics. Our findings also provide a clear signature of today's scans as: (i) highly targeted, (ii) scanning activities notably vary between regional vantage points, and (iii) a significant share originates from malicious sources.


Illuminating Large-Scale IPv6 Scanning in the Internet

While scans of the IPv4 space are ubiquitous, today little is known abou...

Aggressive Internet-Wide Scanners: Network Impact and Longitudinal Characterization

Aggressive network scanners, i.e., ones with immoderate and persistent b...

Identifying and characterizing ZMap scans: a cryptanalytic approach

Network scanning tools play a major role in Internet security. They are ...

Sorry, Shodan is not Enough! Assessing ICS Security via IXP Network Traffic Analysis

Modern Industrial Control Systems (ICSs) allow remote communication thro...

Scan Correlation – Revealing distributed scan campaigns

Public networks are exposed to port scans from the Internet. Attackers s...

Glowing in the Dark Uncovering IPv6 Address Discovery and Scanning Strategies in the Wild

In this work we identify scanning strategies of IPv6 scanners on the Int...

Typosquatting for Fun and Profit: Cross-Country Analysis of Pop-Up Scam

Today, many different types of scams can be found on the internet. Onlin...

Please sign up or login with your details

Forgot password? Click here to reset