Metadata only
Date
2014-11Type
- Report
ETH Bibliography
yes
Altmetrics
Abstract
Although Internet scanning is one of the most popular malware propagation methods, sound measurements about its success rate are not generally available. In this work, we assess the success rate of an Internet-wide scanning event that was orchestrated by the Sality botnet during February 2011 using data from a university network. We first use unsampled NetFlow records from the border router of the network to find how many targetted hosts replied to the scanners. Second, we correlate the replies with IDS alerts triggered in the same network and uncover significant exploitation activity that followed toward the scan repliers. In our data, 2% of the scanned hosts replied and at least 8% of the repliers we believe were eventually compromised. Furthermore, we characterize the exploitation activity and find surprisingly that scanners and exploiters came from different geographical locations. Our analysis provides a novel look into the success rate of Internet scanning in the wild based on two unique data-sets. Show more
Publication status
publishedJournal / series
TIK ReportVolume
Publisher
ETH Zurich, Computer Engineering and Networks LaboratorySubject
Botnet Characterization; Network Forensics; Network Scanning; IDS; NetflowOrganisational unit
03234 - Plattner, Bernhard (emeritus) / Plattner, Bernhard (emeritus)
More
Show all metadata
ETH Bibliography
yes
Altmetrics