Distributed Evasive Scan Techniques and Countermeasures

  • Min Gyung Kang
  • Juan Caballero
  • Dawn Song
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4579)


Scan detection and suppression methods are an important means for preventing the disclosure of network information to attackers. However, despite the importance of limiting the information obtained by the attacker, and the wide availability of such scan detection methods, there has been very little research on evasive scan techniques, which can potentially be used by attackers to avoid detection. In this paper, we first present a novel classification of scan detection methods based on their amnesty policy, since attackers can take advantage of such policies to evade detection. Then we propose two novel metrics to measure the resources that an attacker needs to complete a scan without being detected. Next, we introduce z-Scan, a novel evasive scan technique that uses distributed scanning, and show that it is extremely effective against TRW, one of the state-of-the-art scan detection methods. Finally, we investigate possible countermeasures including hybrid scan detection methods and information-hiding techniques. We provide theoretical analysis, as well as simulation results, to quantitatively measure the effectiveness of the evasive scan techniques and the countermeasures.


scan detection evasion distributed scanning information-hiding 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Fyodor. The Art of Port Scanning. Phrack 51, vol. 7 (September 1, 1997), http://www.phrack.com/phrack/51/P51-11
  3. 3.
    hybrid Distributed information gathering. Phrack 51, vol. 9 (September 9, 1999), http://www.phrack.org/phrack/55/P55-09
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    Antonatos, S., Akritidis, P., Markatos, E., Anagnostakis, K.G.: Defending against Hitlist Worms using Network Address Space Randomization. In: ACM Workshop on Rapid Malcode Fairfax, November 2005, VA, USA, 11 (2005)Google Scholar
  8. 8.
    Basu, R., Cunningham, R.K., Lippmann, R.P.: Detecting Low-Profile Probes and Novel Denial-of-Service Attacks. In: Proceedings 2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop, June 5–6, 2001, West Point, NY, USA (2001)Google Scholar
  9. 9.
    Crosby, S., Wallach, D.: Denial of Service via Algorithmic Complexity Attacks. In: Proceedings of the 12th USENIX Security Symposium (Washington DC, USA) (August 4–8, 2003)Google Scholar
  10. 10.
    Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with HighVolume Network Intrusion Detection. In: 11th ACM Conference on Computer and Communications Security, Washington DC, USA, October 25–29, 2004, ACM Press, New York (2004)Google Scholar
  11. 11.
    Heberlein, L.T., Dias, G.V., Levitt, K.N., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proceedings of the IEEE Symposium on Research in Security and PrivacyGoogle Scholar
  12. 12.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA, May 9–12, 2004, IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  13. 13.
    Kato, N., Nitou, H., Ohta, K., Mansfield, G., Nemoto, Y.: A Real-Time Intrusion Detection System(IDS) for Large Scale Networks and its Evaluations. IEICE Transactions on Communication E82B(11), 1817–1825Google Scholar
  14. 14.
    Kreibich, C., Crowcroft, J.: Honeycomb –Creating Intrusion Detection Signatures Using Honeypots. In: 2nd Workshop on Hot Topics in Networks, November 20–21, 2003, Boston, MA, USA (2003)Google Scholar
  15. 15.
    Leckie, C., Kotagiri, R.: A Probabilistic Approach to Detecting Network Scans. In: Proceedings of the Eighth IEEE Network Operations and Management Symposium, April 15–19, 2002, Florence, Italy (2002)Google Scholar
  16. 16.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks (Amsterdam, Netherlands) 31(23–24), 2435–2463 (1999)Google Scholar
  17. 17.
    Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the 13th USENIX Security Symposium, August 9–13, 2004, San Diego, CA, USA (2004)Google Scholar
  18. 18.
    Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical reportGoogle Scholar
  19. 19.
    Robertson, S., Siegel, E.V., Miller, M., Stolfo, S.J.: Surveillance Detection in High Bandwidth Environments. In: Proceedings of the 2003 DARPA DISCEX III Conference, April 22–24, 2003, Washington DC, USA (2003)Google Scholar
  20. 20.
    Roesch, M.: Snort-Lightweight Intrusion Detection for Networks. In: Proceedings of LISA’99: 13th Systems Administration Conference Seattle, November 7–12, 1999, WA, USA (1999)Google Scholar
  21. 21.
    Schechter, S.E., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: 7th International Symposium on Recent Advances in Intrusion Detection Sophia Antipolis, September 15–17, 2004, French Riviera, France (2004)Google Scholar
  22. 22.
    Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical Automated Detection of Stealthy Portscans. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, November 1–4, 2000, Athens, Greece (2000)Google Scholar
  23. 23.
    Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: 13th USENIX Security Symposium. August 9–13, 2004, San Diego, CA, USA (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Min Gyung Kang
    • 1
  • Juan Caballero
    • 1
  • Dawn Song
    • 1
  1. 1.Carnegie Mellon University 

Personalised recommendations