Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope

Publikation: Beitrag in Buch/Konferenzbericht/Sammelband/GutachtenBeitrag in KonferenzbandBeigetragenBegutachtung

Beitragende

  • Raphael Hiesgen - , Hochschule fur Angewandte Wissenschaften Hamburg (HAW) (Autor:in)
  • Marcin Nawrocki - , Freie Universität (FU) Berlin (Autor:in)
  • Alistair King - , Kentik (Autor:in)
  • Alberto Dainotti - , University of California at San Diego, Georgia Institute of Technology (Autor:in)
  • Thomas C. Schmidt - , Hochschule fur Angewandte Wissenschaften Hamburg (HAW) (Autor:in)
  • Matthias Wählisch - , Professur für Distributed and Networked Systems (Autor:in)

Abstract

Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack. This remains invisible to network telescopes, which only capture the first incoming packet, and is not observed as a related event by honeypots, either. In this work, we examine Internet-wide scan traffic through Spoki, a reactive network telescope operating in real-time that we design and implement. Spoki responds to asynchronous TCP SYN packets and engages in TCP handshakes initiated in the second phase of two-phase scans. Because it is extremely lightweight it scales to large prefixes where it has the unique opportunity to record the first data sequence submitted within the TCP handshake ACK. We analyze two-phase scanners during a three months period using globally deployed Spoki reactive telescopes as well as flow data sets from IXPs and ISPs. We find that a predominant fraction of TCP SYNs on the Internet has irregular characteristics. Our findings also provide a clear signature of today's scans as: (i) highly targeted, (ii) scanning activities notably vary between regional vantage points, and (iii) a significant share originates from malicious sources.

Details

OriginalspracheEnglisch
TitelProceedings of 31st USENIX Security Symposium
Herausgeber (Verlag)USENIX Association
Seiten431-448
Seitenumfang18
ISBN (Print)978-1-939133-31-1
PublikationsstatusVeröffentlicht - 2022
Peer-Review-StatusJa

Publikationsreihe

ReiheUSENIX Security Symposium

Konferenz

Titel31st USENIX Security Symposium, Security 2022
Dauer10 - 12 August 2022
StadtBoston
LandUSA/Vereinigte Staaten

Externe IDs

ORCID /0000-0002-3825-2807/work/142241903