Classification of Distributed Strategies for Port Scan Reconnaissance
S.R.G. Pletinckx (TU Delft - Electrical Engineering, Mathematics and Computer Science)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Prior to exploiting a vulnerable service, adversaries perform a port scan to detect open ports on a target machine. If an adversary is aiming for multiple targets, multiple IP addresses need to be scanned for possible open ports. As sending all this probing traffic with one source IP address causes a lot of suspicion in an intrusion detection system, attackers have adopted towards a more distributed approach by using multiple source IP addresses to perform a port scan.
In this paper, we describe various strategies on how a distributed port scan is performed by adversaries in the wild. The results in this paper are found by analyzing network packets that stem from a large network telescope.
Concretely, we analyzed network traffic from one month received by 2 /16 networks. From this analysis, we conclude that many levels of coordination are exhibited by adversaries performing distributed port scans.