Classification of Distributed Strategies for Port Scan Reconnaissance

Bachelor thesis (2018)

Authors

S.R.G. Pletinckx Electrical Engineering, Mathematics and Computer Science

Contributors

C. Dörr (supervisor 1)

V.D.H. Ghiette (supervisor 1)

Faculty

Electrical Engineering, Mathematics and Computer Science

Network security Port scan Threat intelligence

More Info

expand_more

To reference this document use:

http://resolver.tudelft.nl/uuid:2c3845d7-9f2f-416d-a3bf-82d8c8d9aa56

Published Date

2018

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

Prior to exploiting a vulnerable service, adversaries perform a port scan to detect open ports on a target machine. If an adversary is aiming for multiple targets, multiple IP addresses need to be scanned for possible open ports. As sending all this probing traffic with one source IP address causes a lot of suspicion in an intrusion detection system, attackers have adopted towards a more distributed approach by using multiple source IP addresses to perform a port scan.
In this paper, we describe various strategies on how a distributed port scan is performed by adversaries in the wild. The results in this paper are found by analyzing network packets that stem from a large network telescope.
Concretely, we analyzed network traffic from one month received by 2 /16 networks. From this analysis, we conclude that many levels of coordination are exhibited by adversaries performing distributed port scans.

Files

Final_paper.pdf

(.pdf | 0.293 Mb)