Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope

to appear in ACM Internet Measurement Conference
Amsterdam, Netherlands


Scanning of hosts on the Internet to identify vulnerable devices and services is a key component in many of today’s cyberattacks. Tracking this scanning activity, in turn, provides us with an excellent signal to assess the current state-of-affairs for many vulnerabilities and their exploitation. So far, studies tracking scanning activity have relied on unsolicited traffic captured in darknets, focusing on random scans of the address space. In this work, we track scanning activity through the lens of unsolicited traffic captured at the firewalls of some 89,000 hosts of a major CDN. Our vantage point has two distinguishing features compared to darknets: (i) it is distributed across some 1,300 networks, and (ii) its servers are live, offering services and thus emitting traffic. While all servers receive a baseline level of probing caused by random and full scans of the IPv4 space, we show that some 30% of all logged scan traffic is the result of non-random scanning activity. We find that non-random scanning campaigns often target localized regions in the address space, and that their characteristics in terms of target selection strategy and scanned services differ vastly from the more widely known random scans. Our observations imply that conventional darknets can only partially illuminate scanning activity, and may severely underestimate widespread attempts to scan and exploit individual services in specific prefixes or networks. Our methods can be adapted for individual network operators to assess if they are subjected to targeted scanning activity.