How Dangerous Is Internet Scanning?

A Measurement Study of the Aftermath of an Internet-Wide Scan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9053)


Internet scanning is a de facto background traffic noise that is not clear if it poses a dangerous threat, i.e., what happens to scanned hosts? what is the success rate of scanning? and whether the problem is worth investing significant effort and money on mitigating it, e.g., by filtering unwanted traffic? In this work we take a first look into Internet scanning from the point of view of scan repliers using a unique combination of data sets which allows us to estimate how many hosts replied to scanners and whether they were subsequently attacked in an actual network. To contain our analysis, we focus on a specific interesting scanning event that was orchestrated by the Sality botnet during February 2011 which scanned the entire IPv4 address space. By analyzing unsampled NetFlow records, we show that 2 % of the scanned hosts actually replied to the scanners. Moreover, by correlating scan replies with IDS alerts from the same network, we show that significant exploitation activity followed towards the repliers, which eventually led to an estimated 8 % of compromised repliers. These observations suggest that Internet scanning is dangerous: in our university network, at least 142 scanned hosts were eventually compromised. World-wide, the number of hosts that were compromised in response to the studied event is likely much larger.


Botnet characterization Network scanning IDS Netflow 


  1. 1.
    Anonymous postmasters early warning system.
  2. 2.
    Dshield: Internet storm center (2014).
  3. 3.
    Shadowserver foundation (2014).
  4. 4.
    Threatexpert - automated threat analysis (2014).
  5. 5.
    Bacher, P., Holz, T., Kotter, M., Wicherski, G.: Know your enemy: Tracking botnets (2008).
  6. 6.
    Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: CATCH 2009, Washington, District of Columbia, USA (2009)Google Scholar
  7. 7.
    Barford, P., Yegneswaran, V.: An inside look at botnets. In: Malware Detection, Advances in Information Security, vol. 27 (2007)Google Scholar
  8. 8.
    Cooke, E., Jahanian, F., Mcpherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets, pp. 39–44 (2005)Google Scholar
  9. 9.
    Dainotti, A., King, A., Claffy, K., Papale, F., Pescap, A.: Analysis of a “/0” stealth scan from a botnet. In: ACM IMC 2012 (2012)Google Scholar
  10. 10.
    Durumeric,Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its securityapplications. In: USENIX 2013 (2013)Google Scholar
  11. 11.
    Dimitropoulos, X., Raftopoulos, E., Glatz, E., Dainotti, A.: The days after a “/0" scan from the sality botnet (2014), Technical Report 358.
  12. 12.
    Falliere, N.: A distributed cracker for voip (2011)Google Scholar
  13. 13.
    Falliere, N.: Sality: Story of a peer-to-peer viral network (2011)Google Scholar
  14. 14.
    Freiling, F.C., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks (2005)Google Scholar
  15. 15.
    Glatz, E., Dimitropoulos, X.: Classifying internet one-way traffic. In: Proc. of the 2012 ACM Conf. on Internet Measurement. ACM, NY (2012)Google Scholar
  16. 16.
    Gu, G., Junjie, Z., Lee, W.: BotSniffer: detecting botnet command and control channels in network traffic. In: NSDI (2008)Google Scholar
  17. 17.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a casestudy on storm worm. In: LEET 2008 (2008)Google Scholar
  18. 18.
    Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: The 8th ACM Conference on Knowledge Discovery and Data MiningGoogle Scholar
  19. 19.
    Kruegel, C., Robertson, W.: Alert verification - determining the success of intrusion attempts. In: DIMVA (2004)Google Scholar
  20. 20.
    Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. Transactions on Information Forensics and SecurityGoogle Scholar
  21. 21.
  22. 22.
    Raftopoulos, E., Dimitropoulos, X.: Detecting, validating and characterizing computer infections in the wild. In: Proceedings of IMC (2011)Google Scholar
  23. 23.
    Raftopoulos, E., Dimitropoulos, X.: A quality metric for ids signatures: In the wild the size matters. EURASIP Journal on Information SecurityGoogle Scholar
  24. 24.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proc. of the ACM IMC 2006 Conference (2006)Google Scholar
  25. 25.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: Sip: Session initiation protocol (2002)Google Scholar
  26. 26.
    Shin, S., Lin, R., Gu, G.: Cross-analysis of botnet victims: new insights and implications. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 242–261. Springer, Heidelberg (2011) Google Scholar
  27. 27.
    Stone-gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: Analysis of a botnet takeoverGoogle Scholar
  28. 28.
    Yegneswaran, V., Barford, P., Paxson, V.: Using honeynets for internet situational awareness. In: HotNets IV (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  1. 1.ETH ZurichZürichSwitzerland
  2. 2.FORTH-ICSCreteGreece
  3. 3.CAIDAUC San DiegoSan DiegoUSA

Personalised recommendations