Slides

advertisement
An Internet-Wide View of
Internet-Wide Scanning
What is internet wide scanning?




Scanning
IPv4
Horizontal scanning – individual ports
Network telescope - darknet
How is this done?
 Used to take months!
 But then ZMap and Masscan
 What are they?
 Ipv4 scanners
 5 minutes … with 10gbs connections
 Their impact?
Previous work
 Pang et al, 2004, one of the first comprehensive
analyses of Internet background radiation.
 Covered many aspects of background traffic, including
the most frequently scanned protocols
 However, the scanning landscape has changed
drastically in the last decade
Previous work
 Wustrow et al, 2010, studied Internet background
radiation
 Increase in scan traffic destined for SSH (TCP/22)
 Increased scanning activity targeting port 445 (SMB
over IP) in 2009 due to Conficker
 Telnet (TCP/23) in 2007
Previous work
 Moore et al. and Cooke et al, The dynamics of
performing studies on IPv4 darknet traffic
 Utilize both studies when performing calculations
Take out
later
 Analysed traffic received by a large darknet over a 16month period
 Excluding Conficker, almost 80% of scan traffic originates
from large scans targeting >1% of the IPv4 address space
 Many scans are being conducted by academic researchers
 A large portion of all scanning targets services associated
with vulnerabilities (e.g. Microsoft RDP, SQL Server)
 The majority of scanning is completed from bullet-proof
hosting providers or from China
Dataset
 A darknet
 January 1, 2013 to May 1, 2014
 5.5 million addresses, 0.145% of the public IPv4
address space
 Received an average of 1.4 billion packets, or 55 GB of
traffic, per day
 Defined a scan as: a source address contacted at least
100 unique addresses in our darknet on the same port
Fingerprinting scanners
 In ZMap, the IP identification field is statically set to
54321
 Masscan : ip_id = dst_addr⊕dst_port⊕tcp_seqnum
Scan Dynamics
 Detected 10.8 million scans from 1.76 million hosts
during January 2014
 4.5 million (41.7%) are TCP SYN scans targeting less
than 1% of the IPv4 address space on port 445
 56.4% TCP SYN packets, 35.0% UDP packets, and 8.6%
ICMP echo request packets
 Only 17,918 scans (0.28%) targeted more than 1% of the
address space, 2,699 (0.04%) targeted more than 10%,
and 614 (0.01%) targeted more than 50%
Targeted services
 Close to half of all scan traffic (48.9%) targets NetBIOS
(TCP/445)
 95.1% originate from small scans
 SSH is the most targeted service in large scans
Scan Sources
 77% of scans and 76% of probe packets originate from
China.
ZMap and Masscan Usage
 Weren’t used in a majority of scans less than 10%
 ~25% of scans for more than 50%
 more than 90% of scans operate at under 100 Mbps,
and over 70% are operated at under 10 Mbps
Linksys Backdoor




December 2013
Eloi Vanderbeken
Backdoor in home and small business routers
Full, unauthenticated, remote access to routers over
an undocumented ephemeral port, TCP/32764.
 Scan traffic was not from a large number of
distributed botnets hosts, but rather a small number
of high-speed scanners
Heartbleed Vulnerability
 Vulnerability in the OpenSSL cryptographic
library.
 Publicly disclosed on April 7, 2014.
 Allows attackers to remotely dump arbitrary
private data.
 Scan traffic was more than doubled for several
days following the public disclosure.
 Within 24 hours of the vulnerability release,
scanning began from China
NTP DDoS Attacks
 Network Time Protocol (UDP/123) is a protocol that allows
servers to synchronize time.
 Traffic from NTP servers began to rise around December 8,
2013 .
 In February 2014, attackers attempted to DDoS a
Cloudflare customer with over 400 Gbps of NTP traffic
 One of the IPs hosts a website for the “Openbomb Drone
Project” and also hosts the website http://ra.pe;
 Another one of the IPs hosts a site stating “#yolo”; one
server had a reverse PTR record of “lulz”.
Defensive Measures
 Drop traffic from repeat scanners
 Report perceived network misuse
 Lack of attention paints a dismal picture of current
defensive measures
 University of Michigan: 3rd most aggressive scanner
 0.05% of the IP space is inaccessible
 208 organizations requested that their networks be
excluded from scans
Conclusion




Did some scanning
Came up with a lot of numbers
Compared them to previous work
Implications of recent changes in scanning behaviour
for researchers and network operators
Criticism
 Just a lot of data, no real conclusions
 Data set : “ For non-temporal analyses, we focus on
January 2014.”
 IPv6 scanning
 Vertical scanning
 Exclusion standards
 Determining intent
 Understanding defensive reactions
Thank you
Questions?
Download