The Days After a “/0” Scan from the Sality Botnet
نویسندگان
چکیده
Although Internet scanning is one of the most popular malware propagation methods, sound measurements about its success rate are not generally available. In this work, we assess the success rate of an Internet-wide scanning event that was orchestrated by the Sality botnet during February 2011 using data from a university network. We first use unsampled NetFlow records from the border router of the network to find how many targetted hosts replied to the scanners. Second, we correlate the replies with IDS alerts triggered in the same network and uncover significant exploitation activity that followed toward the scan repliers. In our data, 2% of the scanned hosts replied and at least 8% of the repliers we believe were eventually compromised. Furthermore, we characterize the exploitation activity and find surprisingly that scanners and exploiters came from different geographical locations. Our analysis provides a novel look into the success rate of Internet scanning in the wild based on two unique data-sets. Keywords—Botnet Characterization, Network Forensics, Network Scanning, IDS, Netflow
منابع مشابه
How Dangerous Is Internet Scanning? - A Measurement Study of the Aftermath of an Internet-Wide Scan
Internet scanning is a de facto background traffic noise that is not clear if it poses a dangerous threat, i.e., what happens to scanned hosts? what is the success rate of scanning? and whether the problem is worth investing significant effort and money on mitigating it, e.g., by filtering unwanted traffic? In this work we take a first look into Internet scanning from the point of view of scan ...
متن کاملHow Dangerous is Internet Scanning? A Measurement Study about Scan Repliers
Network administrators often consider Internet scanning as a de facto background tra c noise that is not necessarily dangerous. This is because it is not well-understood what happens to scanned hosts, what is the success rate of scanning, and whether the problem is worth investing significant e↵ort and money in solving it. In this work we take a first look into the problem from the point of vie...
متن کاملPeerViewer: Behavioral Tracking and Classification of P2P Malware
To keep pace with the rampant malware threat, security analysts operate tools that collect and observe malicious content on the internet. Since malware is robust against static analysis, dynamic environments are being used for this purpose. They use automated platforms that execute malware and acquire knowledge about its runtime behavior. Today, malware analysis platforms are powerful in charac...
متن کاملBotOnus: an online unsupervised method for Botnet detection
Botnets are recognized as one of the most dangerous threats to the Internet infrastructure. They are used for malicious activities such as launching distributed denial of service attacks, sending spam, and leaking personal information. Existing botnet detection methods produce a number of good ideas, but they are far from complete yet, since most of them cannot detect botnets in an early stage ...
متن کاملHoneynet-based Botnet Scan Traffic Analysis
With the increasing importance of Internet in everyone’s daily life, Internet security poses a serious problem. Now-a-days, botnets are the major tool to launch Internet-scale attacks. A “botnet” is a network of compromised machines that is remotely controlled by an attacker. In contrast of the earlier hacking activities (mainly used to show off the attackers’ technique skills), botnets are bet...
متن کامل