On Inferring and Characterizing Large-Scale Probing and DDoS Campaigns

  • Elias Bou-HarbEmail author
  • Claude Fachkha


The explosive growth, complexity, adoption, and dynamism of cyberspace over the last decade have radically altered the globe. A plethora of nations have been at the very forefront of this change, fully embracing the opportunities provided by the advancements in science and technology in order to fortify the economy and to increase the productivity of everyday’s life. However, the significant dependence on cyberspace has indeed brought new risks that often compromise, exploit, and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, generating cyber threat intelligence related to probing/scanning and Distributed Denial of Service (DDoS) activities renders an effective tactic to achieve the latter.

In this chapter, we investigate such malicious activities by uniquely analyzing real Internet-scale traffic targeting network telescopes or darknets, which are defined by routable, allocated yet unused Internet Protocol (IP) addresses. Specifically, we infer and characterize their independent events as well as address the problem of large-scale orchestrated campaigns, which render a new era of such stealthy and debilitating events. We conclude this chapter by highlighting some research gaps that pave the way for future work.



The authors would like to acknowledge the computer security lab at Concordia University, Canada where most of the presented work was conducted. The authors are also grateful to the anonymous reviewers for their insightful comments and suggestions.


  1. 1.
    Government of Canada. (2010). Canada’s cyber security strategy report,
  2. 2.
    Hinde, S. (2003). The law, cybercrime, risk assessment and cyber protection. Computers & Security, 22, 90–95.CrossRefGoogle Scholar
  3. 3.
    Bou-Harb, E., Debbabi, M., & Assi, C. (2013). A statistical approach for fingerprinting probing activities. In 2013 Eighth International Conference on Availability, Reliability and Security (ARES) (pp. 21–30), Sept 2013.Google Scholar
  4. 4.
    Bou-Harb, E., Lakhdari, N. -E., Binsalleeh, H., & Debbabi, M. (2014). Multidimensional investigation of source port 0 probing. Digital Investigation, 11(Supplement 2), S114–S123; Fourteenth Annual {DFRWS} Conference.Google Scholar
  5. 5.
    Bhuyan, M. H., Bhattacharyya, D. K., & Kalita, J. K. (2010). Surveying port scans and their detection methodologies. The Computer Journal, 54(10), 1565–1581.CrossRefGoogle Scholar
  6. 6.
    Bou-Harb, E., Debbabi, M., & Assi, C. (2014). Cyber scanning: A comprehensive survey. IEEE Communications Surveys & Tutorials, 16(3), 1496–1519.CrossRefGoogle Scholar
  7. 7.
    Rossow, C. (2014). Amplification hell: Revisiting network protocols for DDoS abuse. In NDSS.Google Scholar
  8. 8.
    Fachkha, C., & Debbabi, M. (2016). Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization. IEEE Communications Surveys & Tutorials, 18(2), 1197–1227.CrossRefGoogle Scholar
  9. 9.
    Moore, D., Shannon, C., Voelker, G. M., & Savage, S. (2004). Network Telescopes: Technical Report. Department of Computer Science and Engineering, University of California, San Diego.Google Scholar
  10. 10.
    Bou-Harb, E., Assi, C., & Debbabi, M. (2016). Csc-detector: A system to infer large-scale probing campaigns. IEEE Transactions on Dependable and Secure Computing, PP(99), 1Google Scholar
  11. 11.
    Bou-Harb, E., Debbabi, M., & Assi, C. (2013). A systematic approach for detecting and clustering distributed cyber scanning. Computer Networks, 57(18), 3826–3839CrossRefGoogle Scholar
  12. 12.
    Peng, C. -K., Buldyrev, S. V., Havlin, S., Simons, M., Stanley, H. E., & Goldberger, A. L. (1994). Mosaic organization of DNA nucleotides. Phys. Rev. E, 49, 1685–1689.CrossRefGoogle Scholar
  13. 13.
    Bou-Harb, E., Debbabi, M., & Assi, C. (2014). On fingerprinting probing activities. Computers & Security, 43, 35–48.CrossRefGoogle Scholar
  14. 14.
    Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G. (2010). Internet background radiation revisited. In Proceedings of the 10th Annual Conference on Internet Measurement (pp 62–74). New York, NY: ACM.CrossRefGoogle Scholar
  15. 15.
    Bou-Harb, E., Debbabi, M., & Assi, C. (2014) Behavioral analytics for inferring large-scale orchestrated probing events. In 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) (pp. 506–511). New York, NY: IEEE.CrossRefGoogle Scholar
  16. 16.
    Moore, D., Voelker, G. M., & Savage, S. (2001). Inferring internet denial-of-service activity. Technical Report, DTIC Document.Google Scholar
  17. 17.
    Li, Z., Goyal, A., Chen, Y., & Paxson, V. (2011). Towards situational awareness of large-scale botnet probing events. IEEE Transactions on Information Forensics and Security, 6(1), 175–188.CrossRefGoogle Scholar
  18. 18.
    Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., & Savage, S. (2006). Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS), 24(2), 115–139CrossRefGoogle Scholar
  19. 19.
    Kornblum, J. (2006). Identifying almost identical files using context triggered piecewise hashing. Digital Investigation, 3(Supplement), 91–97; The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS’06).Google Scholar
  20. 20.
    Lilliefors, H. W. (1967). On the Kolmogorov-Smirnov test for normality with mean and variance unknown. Journal of the American Statistical Association, 62(318), 399–402.CrossRefGoogle Scholar
  21. 21.
    Li, Z., Goyal, A., Chen, Y., & Paxson, V. (2011). Towards situational awareness of large-scale botnet probing events. IEEE Transactions on Information Forensics and Security, 6(1), 175–188CrossRefGoogle Scholar
  22. 22.
    Jin, Y., Simon, G., Xu, K., Zhang, Z.-L., & Kumar, V. (2007). Gray’s anatomy: Dissecting scanning activities using IP gray space analysis. In Usenix SysML07.Google Scholar
  23. 23.
    Jin, Y., Zhang, Z. -L., Xu, K., Cao, F., & Sahu, S. (2007). Identifying and tracking suspicious activities through IP gray space analysis. In Proceedings of the 3rd Annual ACM Workshop on Mining Network Data, MineNet’07 (pp. 7–12). New York, NY: ACM.CrossRefGoogle Scholar
  24. 24.
    Li, Z., Goyal, A., Chen, Y., & Paxson, V. (2009). Automating analysis of large-scale botnet probing events. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS’09 (pp. 11–22). New York, NY: ACM.Google Scholar
  25. 25.
    Yegneswaran, V., Barford, P., & Paxson, V. (2005). Using honeynets for internet situational awareness. In Proceedings of ACM Hotnets IV.Google Scholar
  26. 26.
    Dainotti, A., King, A., Claffy, K., Papale, F., & Pescapé, A. (2014). Analysis of a “/0” Stealth Scan from a Botnet. IEEE/ACM Transactions on Networking, 23, 341–354.CrossRefGoogle Scholar
  27. 27.
    Internet Census 2012-Port scanning /0 using insecure embedded devices,
  28. 28.
    Benoit, D., Trudel, A. (2007). World’s first web census. International Journal of Web Information Systems, 3(4), 378.CrossRefGoogle Scholar
  29. 29.
    Heidemann, J., Pradkin, Y., Govindan, R., Papadopoulos, C., Bartlett, G., & Bannister, J. (2008). Census and survey of the visible internet. In Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, IMC’08 (pp. 169–182). New York, NY: ACM.CrossRefGoogle Scholar
  30. 30.
    Pryadkin, Y., Lindell, R., Bannister, J., & Govindan, R. (2004). An empirical evaluation of ip address space occupancy. USC/ISI Technical Report ISI-TR, 598.Google Scholar
  31. 31.
    Cui, A., & Stolfo, S. J. (2010). A quantitative analysis of the insecurity of embedded network devices: Results of a wide-area scan. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC’10 (pp. 97–106). New York, NY: ACM.Google Scholar
  32. 32.
    Leonard, D., & Loguinov, D. (2010). Demystifying service discovery: Implementing an internet-wide scanner. In The 10th ACM SIGCOMM Conference on Internet Measurement. New York, NY: ACM.Google Scholar
  33. 33.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., & Lee, W. (2007). Bothunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS’07 (pp. 12:1–12:16). Berkeley, CA: USENIX Association.Google Scholar
  34. 34.
    Goebel, J., & Holz, T. (2007). Rishi: Identify bot contaminated hosts by irc nickname evaluation. In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (USENIX HotBots), Cambridge, MA (pp. 8–8).Google Scholar
  35. 35.
    Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., & Kirda, E. (2009). Automatically generating models for botnet detection. In M. Backes, & P. Ning, (Eds.), Computer security – ESORICS 2009. Lecture notes in computer science (Vol. 5789, pp. 232–249). Berlin: Springer.Google Scholar
  36. 36.
    Tegeler, F., Fu, X., Vigna, G., & Kruegel, C. (2012). Botfinder: Finding bots in network traffic without deep packet inspection. In Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies, CoNEXT’12 (pp. 349–360). New York, NY: ACM.CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.Cyber Threat Intelligence LabFlorida Atlantic UniversityBoca RatonUSA
  2. 2.University of DubaiDubaiUnited Arab Emirates

Personalised recommendations