Analysis of a "/0" stealth scan from a botnet

Authors:
Alberto Dainotti;Alistair King;kc Claffy;Ferdinando Papale;Antonio Pescapè
Affiliations:
CAIDA, UCSD, La Jolla, California, USA;CAIDA, UCSD, La Jolla, California, USA;CAIDA, UCSD, La Jolla, California, USA;University of Napoli Federico II, Naples, Italy;University of Napoli Federico II, Naples, Italy
Venue:
Proceedings of the 2012 ACM conference on Internet measurement conference
Year:
2012

Citing 19
Cited 5

How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Monitoring and early warning for internet worms

Proceedings of the 10th ACM conference on Computer and communications security
Understanding the network-level behavior of spammers

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
A multifaceted approach to understanding the botnet phenomenon

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The Zombie roundup: understanding, detecting, and disrupting botnets

SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Spamming botnets: signatures and characteristics

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Census and survey of the visible internet

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Automatic discovery of botnet communities on large-scale communication networks

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Botnet spam campaigns can be long lasting: evidence, implications, and analysis

Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Geolocalization of proxied services and its application to fast-flux hidden servers

Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Your botnet is my botnet: analysis of a botnet takeover

Proceedings of the 16th ACM conference on Computer and communications security
Spamcraft: an inside look at spam campaign orchestration

LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Inference and analysis of formal models of botnet command and control protocols

Proceedings of the 17th ACM conference on Computer and communications security
Demystifying service discovery: implementing an internet-wide scanner

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Conficker and beyond: a large-scale empirical study

Proceedings of the 26th Annual Computer Security Applications Conference
Show me the money: characterizing spam-advertised revenue

SEC'11 Proceedings of the 20th USENIX conference on Security
Analysis of country-wide internet outages caused by censorship

Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Towards Situational Awareness of Large-Scale Botnet Probing Events

IEEE Transactions on Information Forensics and Security

Analysis of internet-wide probing using darknets

Proceedings of the 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security
Understanding IPv6 internet background radiation

Proceedings of the 2013 conference on Internet measurement conference
A systematic approach for detecting and clustering distributed cyber scanning

Computer Networks: The International Journal of Computer and Telecommunications Networking
A coordinated view of the temporal evolution of large-scale Internet events

Computing
Topology-Aware Correlated Network Anomaly Event Detection and Diagnosis

Journal of Network and Systems Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial of service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February of last year. This 12-day scan originated from approximately 3 million distinct IP addresses, and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers, its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This work offers a detailed dissection of the botnet's scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.