The Days After a "/0" Scan from the Sality Botnet
METADATA ONLY
Loading...
Author / Producer
Date
2014-11
Publication Type
Report
ETH Bibliography
yes
Citations
Altmetric
METADATA ONLY
Data
Rights / License
Abstract
Although Internet scanning is one of the most popular malware propagation methods, sound measurements about its success rate are not generally available. In this work, we assess the success rate of an Internet-wide scanning event that was orchestrated by the Sality botnet during February 2011 using data from a university network. We first use unsampled NetFlow records from the border router of the network to find how many targetted hosts replied to the scanners. Second, we correlate the replies with IDS alerts triggered in the same network and uncover significant exploitation activity that followed toward the scan repliers. In our data, 2% of the scanned hosts replied and at least 8% of the repliers we believe were eventually compromised. Furthermore, we characterize the exploitation activity and find surprisingly that scanners and exploiters came from different geographical locations. Our analysis provides a novel look into the success rate of Internet scanning in the wild based on two unique data-sets.
Permanent link
Publication status
published
External links
Editor
Book title
Journal / series
Volume
358
Pages / Article No.
Publisher
ETH Zurich, Computer Engineering and Networks Laboratory
Event
Edition / version
Methods
Software
Geographic location
Date collected
Date created
Subject
Botnet Characterization; Network Forensics; Network Scanning; IDS; Netflow
Organisational unit
03234 - Plattner, Bernhard (emeritus) / Plattner, Bernhard (emeritus)