(slides) Scanning the Scanners: Sensing the Internet from ... · ? CDN cache HTTP(S) • Source IP...
60
Scanning the Scanners Sensing the Internet from a Massively Distributed Network Telescope Philipp Richter and Arthur Berger Massachusetts Institute of Technology Akamai Technologies ACM Internet Measurement Conference 2019 Amsterdam, Netherlands
Transcript of (slides) Scanning the Scanners: Sensing the Internet from ... · ? CDN cache HTTP(S) • Source IP...
Scanning the Scanners
Sensing the Internet from a Massively Distributed Network Telescope
Philipp Richter and Arthur Berger
Massachusetts Institute of Technology Akamai Technologies
ACM Internet Measurement Conference 2019 Amsterdam, Netherlands
Scanning 101
scanner
SYN port 22
SYN port 22
SYN port 22SYN port 22SYN+ACK
1
Scanning 101
scanner
SYN port 22
SYN port 22
SYN port 22SYN port 22SYN+ACK
1. Identify vulnerable services/devices
2. Exploit vulnerabilities! • Attack vulnerable hosts/networks directly OR • Form botnets to carry out cyberattacks against other targets
1
Scanning 101
scanner
SYN port 22
SYN port 22
SYN port 22SYN port 22SYN+ACK
1. Identify vulnerable services/devices
2. Exploit vulnerabilities! • Attack vulnerable hosts/networks directly OR • Form botnets to carry out cyberattacks against other targets
Scanning hosts on the Internet: Key component in many of today’s cyberattacks
1
Tracking Scanning Activity
Tracking scanning activity: Assessment of ongoing and potentially upcoming cyberattacks 2
Detecting Scanning Activity: Darknets
X.0.0.0/8
3
Detecting Scanning Activity: Darknets
X.0.0.0/8
scanner
3
Internet-Wide Scans
.0.0.
Darknets only capture “naive” Internet-wide scanning
‣ Scanner targets the entire IPv4 space (e.g., ZMap)
‣ Scanner targets a random subset of the IPv4 space
3
X.0.0.0/8
scanner Internet-
wide
Internet-Wide vs. Targeted Scans
4
X.0.0.0/8
Internet-Wide vs. Targeted Scans
scanner targeted
scanner Internet-
wide
4
X.0.0.0/8
What about scans targeting specific prefixes or networks?
Undocumented and potentially much more dangerous!
Internet-Wide vs. Targeted Scans
scanner targeted
scanner Internet-
wide
4
Part 1
• What is a distributed network telescope?
• How much unsolicited traffic is there?
Part 2
• How much scanning traffic is there?
• How can we dissect scanning strategies?
Part 3
• How can an individual network detect targeted scans?
Outline
A Large CDN as a Network Telescope
• 89,000 CDN servers in 1,300+ ASes, 2,800+ BGP prefixes (a subset of the servers this CDN operates)
5
A Large CDN as a Network Telescope
• 89,000 CDN servers in 1,300+ ASes, 2,800+ BGP prefixes (a subset of the servers this CDN operates)
• Visibility into:
‣ Internet-wide scans
‣ Scans targeting the CDN itself
‣ Scans targeting networks that host CDN caches 5
CDN Machine IPv4 Addresses
1.2.3.X1 client-facing IP
DNSwww.website.com ?
CDN cache
HTTP(S)
1.2.3.X1(client-facing IP)
6
CDN Machine IPv4 Addresses
1.2.3.X1 client-facing IP
1.2.3.X2 operations IP (cache refills, etc)
DNSwww.website.com ?
1.2.3.X1(client-facing IP)
CDN cache
HTTP(S)
6
CDN Machine IPv4 Addresses
DNSwww.website.com ?
CDN cache
HTTP(S)
• Source IP hits only client-facing IPs of our servers:
‣ CDN-targeted traffic • Source IP hits client-facing and operations IPs 50/50:
‣ CDN-agnostic traffic
1.2.3.X1 client-facing IP
1.2.3.X2 operations IP (cache refills, etc)
1.2.3.X1(client-facing IP)
6
CDN Firewall Log Dataset
1.2.3.X1
1.2.3.X2
HTTP(S) 80/443• Traffic to active port numbers (TCP 80/443,..)
‣ Handled by web server/app. layer firewall
‣ Not captured in our dataset
7
✖
CDN Firewall Log DatasetHTTP(S)
80/443• Traffic to active port numbers (TCP 80/443,..)
‣ Handled by web server/app. layer firewall
‣ Not captured in our dataset 23
231337
✖
✖
1.2.3.X1
1.2.3.X2
• Traffic to inactive port numbers (any IP)
‣ Blocked by static firewall, logged
‣ Too much traffic (e.g., DDoS) ꔄ “burst” ꔄ sampling triggered
‣ 99.9% of time, a machine is NOT in “burst” state
7
CDN Firewall Log DatasetHTTP(S)
80/443• Traffic to active port numbers (TCP 80/443,..)
‣ Handled by web server/app. layer firewall
‣ Not captured in our dataset 23
231337• Traffic to inactive port numbers (any IP)
‣ Blocked by static firewall, logged
‣ Too much traffic (e.g., DDoS) ꔄ “burst” ꔄ sampling triggered
‣ 99.9% of time, a machine is NOT in “burst” state
✖
✖
Full visibility of “sporadic” unsolicited traffic
1.2.3.X1
1.2.3.X2✖
total pkts UDP TCP TCP SYN
19.4B 2.3B (12%) 17.1B (88%) 16.8B (86%)
Dataset: November 2018 7
Unsolicited Traffic at CDN Caches
●●
● ●
●
● ●● ●
● ●● ●
●●
●
● ● ● ● ● ● ●
●
● ● ● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
Machine 1: Baseline radiation 8
Unsolicited Traffic at CDN Caches
●●
● ●
●
● ●● ●
● ●● ●
●●
●
● ● ● ● ● ● ●
●
● ● ● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
● ● ●●
● ● ● ●● ●
●
●● ● ● ● ● ●
● ● ● ● ●● ● ●
● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
Machine 2: CDN-targeted spikes 9
Unsolicited Traffic at CDN Caches
●●
● ●
●
● ●● ●
● ●● ●
●●
●
● ● ● ● ● ● ●
●
● ● ● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
● ● ●●
● ● ● ●● ●
●
●● ● ● ● ● ●
● ● ● ● ●● ● ●
● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
●● ● ●
●● ●
●
●
●
●
●●
●●
● ● ●
●
●
●
●
●
●●
●●
●● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
Machine 3: CDN-agnostic spikes 10
Unsolicited Traffic at CDN Caches
●●
● ●
●
● ●● ●
● ●● ●
●●
●
● ● ● ● ● ● ●
●
● ● ● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
● ● ●●
● ● ● ●● ●
●
●● ● ● ● ● ●
● ● ● ● ●● ● ●
● ● ● ●
day [November '18]lo
gged
pac
kets
per
day
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
●● ● ●
●● ●
●
●
●
●
●●
●●
● ● ●
●
●
●
●
●
●●
●●
●● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
• Baseline radiation: Every IPv4 address: ~3000 pkts/day
• Spikes can be grouped into:
• CDN-targeted ꔄ sources target domain names
• CDN-agnostic ꔄ sources target prefixes/networks
11
Daily packets per DST IP in a /8 Darknet
packets per destination IP address (1st of November 2018)
DST
IPs
(nor
mal
ized
by m
ax)
0 2000 4000 6000 8000
0.0
0.2
0.4
0.6
0.8
1.0
UCSD /8 darknet IPs (~15M IPs)
12
Daily packets per DST IP in a /8 Darknet
packets per destination IP address (1st of November 2018)
DST
IPs
(nor
mal
ized
by m
ax)
0 2000 4000 6000 8000
0.0
0.2
0.4
0.6
0.8
1.0
UCSD /8 darknet IPs (~15M IPs)
almost all darknet destination IP addresses: baseline radiation - median: 3091 pkts/IP
heavily concentrated distribution very few addresses receive more
12
Daily packets per DST IP: Darknet vs. CDN
packets per destination IP address (1st of November 2018)
DST
IPs
(nor
mal
ized
by m
ax)
0 2000 4000 6000 8000
0.0
0.2
0.4
0.6
0.8
1.0
UCSD /8 darknet IPs (~15M IPs)CDN client−facing IPs (89K IPs)CDN operations IPs (89K IPs)
13
packets per destination IP address (1st of November 2018)
DST
IPs
(nor
mal
ized
by m
ax)
0 2000 4000 6000 8000
0.0
0.2
0.4
0.6
0.8
1.0
UCSD /8 darknet IPs (~15M IPs)CDN client−facing IPs (89K IPs)CDN operations IPs (89K IPs)
Daily packets per DST IP: Darknet vs. CDNsome CDN machines log
slightly less. Network filtering!
13
packets per destination IP address (1st of November 2018)
DST
IPs
(nor
mal
ized
by m
ax)
0 2000 4000 6000 8000
0.0
0.2
0.4
0.6
0.8
1.0
UCSD /8 darknet IPs (~15M IPs)CDN client−facing IPs (89K IPs)CDN operations IPs (89K IPs)
Large share of CDN machines: only baseline radiation
Daily packets per DST IP: Darknet vs. CDN
13
packets per destination IP address (1st of November 2018)
DST
IPs
(nor
mal
ized
by m
ax)
0 2000 4000 6000 8000
0.0
0.2
0.4
0.6
0.8
1.0
UCSD /8 darknet IPs (~15M IPs)CDN client−facing IPs (89K IPs)CDN operations IPs (89K IPs)
heavy tail: CDN machines log
targeted traffic invisible in darknet
Daily packets per DST IP: Darknet vs. CDN
13
packets per destination IP address (1st of November 2018)
DST
IPs
(nor
mal
ized
by m
ax)
0 2000 4000 6000 8000
0.0
0.2
0.4
0.6
0.8
1.0
UCSD /8 darknet IPs (~15M IPs)CDN client−facing IPs (89K IPs)CDN operations IPs (89K IPs)
heavy tail: CDN machines log
targeted traffic invisible in darknet
What is this additional unsolicited traffic?
Daily packets per DST IP: Darknet vs. CDN
13
Part 1
• What is a distributed network telescope?
• How much unsolicited traffic is there?
Part 2
• How much scanning traffic is there?
• How can we dissect scanning strategies?
Part 3
• How can an individual network detect targeted scans?
Outline
Identifying Scans
‣ Source IP contacts more than 100 destination IPs (IPv4)
‣ Maximum inter-arrival time 5400 seconds
‣ Effectively removes remaining DDoS attacks against CDN
14
Identifying Scans
‣ Source IP contacts more than 100 destination IPs (IPv4)
‣ Maximum inter-arrival time 5400 seconds
‣ Effectively removes remaining DDoS attacks against CDN
‣ 87% of all logged unsolicited packets are part of scans
‣ November ’18: 2.17M scans, 16.8B packets, 1.1M SRC IPs
14
Scan Target Selection Strategiesall scans
Internet-wide targeted(source targets entire IPv4 space) (source targets specific IPs/ranges)
15
Scan Target Selection Strategiesall scans
Internet-wide targeted(source targets entire IPv4 space) (source targets specific IPs/ranges)
full IPv4 space
28% pkts
full IPv4 space: scanner IP targets most/all of our IP addresses (e.g., ZMap)
15
Scan Target Selection Strategiesall scans
Internet-wide targeted(source targets entire IPv4 space) (source targets specific IPs/ranges)
domain scans:targeted at DNS-
exposed IPs
4.1% pkts
full IPv4 space
28% pkts
domain scans: scanner IP targets client-facing (DNS-exposed) IPs exclusively
E.g., scanning Alexa Top 1M etc. 15
Scan Target Selection Strategiesall scans
Internet-wide targeted(source targets entire IPv4 space) (source targets specific IPs/ranges)
domain scans:targeted at DNS-
exposed IPs
4.1% pkts
full IPv4 space
28% pkts
Leaves us with 2/3s of scan packets that do not target the full space nor target our CDN DNS-exposed IPs:
15
Scan Target Selection Strategiesall scans
Internet-wide targeted(source targets entire IPv4 space) (source targets specific IPs/ranges)
domain scans:targeted at DNS-
exposed IPs
4.1% pkts
full IPv4 space
28% pkts
Leaves us with 2/3s of scan packets that do not target the full space nor target our CDN DNS-exposed IPs:
Do they target a random subset of the space or target specific prefixes/networks? 15
Detecting if Scan Targets Random Subset
IPv4 /8 prefix
mac
hine
s pe
r /8
05K
10K
15K
0.0.0.0/8 64.0.0.0/8 128.0.0.0/8 192.0.0.0/8 255.0.0/8
16
Internet-wide partial (random) scanD
ST IP
s
CD
N IP
s
0.0.0.0/8 64.0.0.0/8 128.0.0.0/8 192.0.0.0/8 255.0.0.0/8
0.2
0
0.2
• Packets in scan total: 148.
• Pearson correlation DST IPs / CDN IPs = 0.96.
• This scan targets a random subset of CDN IPs.
‣ Internet-wide Partial scan.17
CDN IP addresses
scan destinations
Localized ScanD
ST IP
s
CD
N IP
s
0.0.0.0/8 64.0.0.0/8 128.0.0.0/8 192.0.0.0/8 255.0.0.0/8
0.4
0.2
0
0.2
• Packets in scan total: 827.
• Pearson correlation DST IPs / CDN IPs = 0.38.
• This scan targets a non-random subset of CDN IPs.
‣ Localized scan18
CDN IP addresses
scan destinations
Internet-wide vs. Localized Scans
correlation of scan pkts vs. telescope IPs.
num
ber o
f sca
ns (n
orm
alize
d)
0.0 0.2 0.4 0.6 0.8 1.0
02
46
810
partial scanssimulated random (100 pkts)
localized scans: low pearson correlation
Internet-wide scans: high pearson correlation
19
Scan Target Selection Strategiesall scans
Internet-wide targeted(source targets entire IPv4 space) (source targets specific IPs/ranges)
domain scans:targeted at DNS-
exposed IPs
4.1% pkts
full IPv4 space
28% pkts
localized:targets
prefixes/ASes/?
29% pkts
partial: random subset of IPv4
39.9% pkts
20
Scan Target Selection Strategiesall scans
Internet-wide targeted(source targets entire IPv4 space) (source targets specific IPs/ranges)
domain scans:targeted at DNS-
exposed IPs
4.1% pkts
full IPv4 space
28% pkts
partial: random subset of IPv4
39.9% pkts
localized:targets
prefixes/ASes/?
29% pkts
~68% scan packets:Internet-wide scans
20
Scan Target Selection Strategiesall scans
Internet-wide targeted(source targets entire IPv4 space) (source targets specific IPs/ranges)
~68% scan packets:Internet-wide scans
~29% scan packets:target
prefixes/ASes/?
domain scans:targeted at DNS-
exposed IPs
4.1% pkts
full IPv4 space
28% pkts
partial: random subset of IPv4
39.9% pkts
localized:targets
prefixes/ASes/?
29% pkts
20
Scan Target Selection Strategiesall scans
Internet-wide targeted(source targets entire IPv4 space) (source targets specific IPs/ranges)
domain scans:targeted at DNS-
exposed IPs
4.1% pkts
full IPv4 space
28% pkts
partial: random subset of IPv4
39.9% pkts
~68% scan packets:Internet-wide scans
29% scan packets:target
prefixes/ASes/?
4.1% scan packets:targeting the CDN’s
customers (e.g., Alexa Top 1K)
localized:targets
prefixes/ASes/?
29% pkts
Some 30% of all scan traffic localized!
do not target a random subset of the space
do not target the CDN’s customers
often target narrow regions of the IPv4 space (few prefixes) invisible in darknets
Vastly different characteristics:
Services scanned, Scanner origins, repeated scans, etc.
21
Top 5 Target Port Numbers
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
all scans (CDN)
22
Top 5 Target Port Numbers
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
250 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
all scans (CDN)
UCSD darknet
22
Top 5 Target Port Numbers
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
250 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
all scans (CDN)
UCSD darknet
localized
22
Top 5 Target Port Numbers
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
250 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Richter and Berger
23 445 137/UDP 500/UDP 1433
0 5 10 15 20
all CDN
23 80 445 22 81
0 5 10 15
UCSD−NT
% packets
(a) Top-5 port numbers seen in all our dataset, as well as in the UCSDdarknet.
23 445 1433 81 22
0 5 10 15
all scans
81 22 8088 8545 23
0 2 4 6 8 10
Internet−widefull
500/UDP 137/UDP 55336 445
25
0 10 20 30 40 50 60
CDN
23 445 1433
5555
8080
0 5 10 15 20 25 30
Internet−widepartial
23 8291 445 22 7547
0 5 10 15
localized
% packets
(b) Top-5 port numbers seen for scans, where we show all scans as well asthe contributions of individual scan types.
Figure 10: Top-5 port numbers in our dataset, UCSD net-work telescope, and contribution by individual scan types.All ports are TCP unless tagged as UDP.
port distribution, and these are the most popular ports for partialInternet-wide scans. This makes sense given that these two portsare frequently targeted by worms and botnets, which commonlyexhibit random scanning behavior [8]. Localized scans, on the otherhand, contribute much less to this class of ports, but show signi�-cant activity on ports 8291 and 7547, both ports related to criticalvulnerabilities in home routers [26, 27]. In contrast, port 8291 isthe 273th most targeted port in the UCSD darknet, and port 7547the 48th most targeted port by packets. This hints towards actorsscanning particular ranges for these ports (recall that many of theCDN servers are located within end-user ISPs, making these ASesprime candidates for scanning for home router vulnerabilities). Gen-erally, we note that localized scans show a higher port diversity(top 5 ports only account for some 17% of all scan tra�c), whereasInternet-wide partial scans are more concentrated on a smallernumber of ports (top 5 ports account for some 33% of all scanningtra�c). We note that when looking at aggregate port statistics, po-tentially dangerous, localized scans such as on ports 8291 and 7547,would not stand out, since they are masked by the sheer volume ofInternet-wide scans on popular port numbers.CDN-targeted scans: We note that CDN-targeted scans showwildly di�erent behavior, with the two port numbers being 500/UDP(IPsec) and 137/UDP (NetBIOS name resolution). These two portnumbers also show up with much higher frequency in our overalldataset, as compared with the UCSD telescope (Figure 10a). Since
rank Internet-wide full Internet-wide partial localized1 Ukraine 41.0% Ukraine 19.0% Netherlands 18.7%2 U.S. 14.0% China 13.9% Bulgaria 10.6%3 Netherlands 9.0% Netherlands 11.5% U.S. 8.3%4 China 5.2% U.S. 11.3% Russia 7.8%5 U.K. 4.2% Russia 7.4% China 5.6%
(a) Scan packets.
rank Internet-wide full Internet-wide partial localized1 U.S. 38.2% China 20.3% Brazil 16.2%2 Netherlands 8.7% Egypt 8.3% Russia 12.7%3 U.K. 7.3% Russia 8.2% India 10.3%4 China 6.9% Brazil 7.3% China 8.5%5 Japan 6.8% India 3.5% Taiwan 5.9%
(b) Scan source IP addresses.
Table 3: Top origin countries of scan tra�c and sources.
some machines, unsuccessfully, try to establish an IPsec connec-tion and/or NetBIOS name resolution upon establishing a TCPconnection (see, e.g., reports [4, 5]), we believe that the majorityof these packets do not resemble actual scans or exploits of theseport numbers. A more likely explanation is that these packets are aconnection artifact of hosts that scan/scrape actual websites (e.g.,Alexa Top 1M), hence accessing other services on our machines,most likely Web.8
Port co-dependency: We do not restrict our de�nition of scansby port number, i.e., a scan can target multiple ports. For 53% ofdetected scans, we logged packets on more than a single port num-ber. 66% of Internet-wide partial scans send packets on multipleport numbers and the most frequent combinations are two-porttuple 23 and 2323 (TCP) as well as 23 and 8080 (TCP), togetheraccounting for 64% of all Internet-wide multi-port scans. Theseport combinations can be attributed to incarnations of the Miraibotnet [8]. In contrast, only 26% of localized scans probe multipleport numbers, with the most common combination of ports beingthe 4-tuple of 23, 8080, 7547, 8291 (TCP), accounting for only 19%of all localized multi-port scans.
6.3 Scanner OriginsIn this section, we inspect top contributors of scan tra�c and sourceaddresses, and assess the e�ect of sharded scans on our inferences.Scanner origin countries: Table 3 shows the top-5 origin coun-tries of scans.9 While Internet-wide full scans are highly concen-trated, with Ukraine accounting for some 41% of scan packets, fol-lowed by the US with some 14%, we see that partial Internet-widescans are more spread out, and �nd that localized scans are evenmore spread across di�erent origin countries, with the Netherlandsaccounting for some 19% of localized scan tra�c. When looking atunique scan source IP addresses (Table 3b), we see similar distri-butions for Internet-wide scans, but notice that localized scannerIP addresses show a much higher concentration in Brazil, Russia,and India; countries that show less-pronounced scanning activitywhen considering only Internet-wide scans. We note that a large
8Such connection artifacts, e.g., IPsec, are frequently reported to appear in �rewalllogs in production networks [4].9We leverage the CDN’s proprietary geolocation database to map scanner IP addressesto countries.
Critical vulnerabilities targeted in localized scans!But barely scanned by Internet-wide scanners
-> Darknets severly underestimate scanning activity
all scans (CDN)
UCSD darknet
localized
Outline
Part 1
• What is a distributed network telescope?
• How much unsolicited traffic is there?
Part 2
• How much scanning traffic is there?
• How can we dissect scanning strategies?
Part 3
• How can an individual network detect targeted scans?
●●
● ●
●
● ●● ●
● ●● ●
●●
●
● ● ● ● ● ● ●
●
● ● ● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K●
client−facing IPoperations IP
Baseline Composition
23
Baseline Composition
●●
● ●
●
● ●● ●
● ●● ●
●●
●
● ● ● ● ● ● ●
●
● ● ● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K
● ●● ● ● ● ● ● ● ● ● ● ●
●●
●
● ● ● ● ● ● ● ● ● ● ● ● ● ●
●
client−facing IPoperations IP●
client−facing IP (w/o Internet−wide)operations IP (w/o Internet−wide)
remaining unsolicited traffic after removal of Internet-wide (full and random subset) scans
23
●● ● ●
●● ●
●
●
●
●
●●
●●
● ● ●
●
●
●
●
●
●●
●●
●● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K
●●
● ●
● ● ●● ●
●
●
●●
●●
● ● ●
●
●
●
●
●
● ● ●●
●
● ●
●
client−facing IPoperations IP●
client−facing IP (w/o Internet−wide)operations IP (w/o Internet−wide)
●●
● ●
●
● ●● ●
● ●● ●
●●
●
● ● ● ● ● ● ●
●
● ● ● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K
● ●● ● ● ● ● ● ● ● ● ● ●
●●
●
● ● ● ● ● ● ● ● ● ● ● ● ● ●
●
client−facing IPoperations IP●
client−facing IP (w/o Internet−wide)operations IP (w/o Internet−wide)
Baseline Composition
23
remaining unsolicited traffic after removal of Internet-wide (full and random subset) scans
●● ● ●
●● ●
●
●
●
●
●●
●●
● ● ●
●
●
●
●
●
●●
●●
●● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K
●●
● ●
● ● ●● ●
●
●
●●
●●
● ● ●
●
●
●
●
●
● ● ●●
●
● ●
●
client−facing IPoperations IP●
client−facing IP (w/o Internet−wide)operations IP (w/o Internet−wide)
●●
● ●
●
● ●● ●
● ●● ●
●●
●
● ● ● ● ● ● ●
●
● ● ● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K
● ●● ● ● ● ● ● ● ● ● ● ●
●●
●
● ● ● ● ● ● ● ● ● ● ● ● ● ●
●
client−facing IPoperations IP●
client−facing IP (w/o Internet−wide)operations IP (w/o Internet−wide)
Baseline Composition
• 90% of baseline radiation is the result of Internet-wide scans
‣ Full scans of the + random subsets of the IPv4 space
23
●● ● ●
●● ●
●
●
●
●
●●
●●
● ● ●
●
●
●
●
●
●●
●●
●● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K
●●
● ●
● ● ●● ●
●
●
●●
●●
● ● ●
●
●
●
●
●
● ● ●●
●
● ●
●
client−facing IPoperations IP●
client−facing IP (w/o Internet−wide)operations IP (w/o Internet−wide)
●●
● ●
●
● ●● ●
● ●● ●
●●
●
● ● ● ● ● ● ●
●
● ● ● ● ● ●
day [November '18]
logg
ed p
acke
ts p
er d
ay
1 8 15 22 29
0
3K
6K
9K
● ●● ● ● ● ● ● ● ● ● ● ●
●●
●
● ● ● ● ● ● ● ● ● ● ● ● ● ●
●
client−facing IPoperations IP●
client−facing IP (w/o Internet−wide)operations IP (w/o Internet−wide)
• 90% of baseline radiation is the result of Internet-wide scans
‣ Full scans of the + random subsets of the IPv4 space • Threat detection / detection of targeted activity
‣ Determine current baseline level (darknets, etc.)
‣ See if unsolicited scan traffic exceeds baseline
Baseline: Detect Targeted Scans
23
• Distributed telescope illuminates undocumented scan activity
• Baseline: Every routed IPv4 address receives ~3000pkts/day
‣ Deviation from the baseline indicates targeted activity
• Methodology to dissect scan strategies
‣ 30% of scan traffic are result of localized scans
‣ Different characteristics (services targeted, origins, etc.)
Key Takeaways
24
Baseline Evolution
day
pack
ets
per I
P ad
dres
s
2016−01−01 2017−01−01 2018−01−01 2019−01−01
010
0030
0050
00
CDN vs. UCSD Darknet: DSTs per Source IP
destination IPs hit in UCSD−NT
dest
inat
ion
IPs
hit i
n C
DN
0 1000 10M
010
010
K17
0K
110
100
1K
10K
100K
1M
10M
sour
ce IP
s
