Discovering Collaboration: Unveiling Slow, Distributed Scanners based on Common Header Field Patterns

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review


To compromise a computer, it is first necessary to discover which hosts are active and which services they run. This reconnaissance is typically accomplished through port scanning. Defense systems monitor for these unsolicited packets and raise an alarm if a predefined threshold is exceeded. To remain undetected, adversaries can either slow down the scan, and/or distribute it over multiple hosts. With each source below the threshold, the combination of all may still complete the scan efficiently. It is especially this group that is of concern: with enough resources and knowledge to execute such a coordinated activity, they will pose a more potent threat than the noisy "script kiddie". Correlating which out of 4 billion IPs potentially collaborate is however a challenging task, hence today’s systems do not consider coordination beyond basic subnet aggregation.In this paper, we propose a method to identify and fingerprint distributed scanners based on commonalities in header fields, which are an artifact of the way fast port scanning software is built. We demonstrate that this method can effectively locate groups, and based on the monitoring logs we report on a number of new groups and tools, which have previously not been reported in the academic literature.Fingerprints generated can ultimately be used as Indicators of Compromise to detect and mitigate scanning behavior in order to deny adversaries the possibility to learn about weaknesses of a system.
Original languageEnglish
Title of host publicationNOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium
Subtitle of host publicationProceedings
Number of pages9
ISBN (Electronic)978-1-7281-4973-8
ISBN (Print)978-1-7281-4974-5
Publication statusPublished - 2020
EventNOMS 2020 : IEEE/IFIP Network Operations and Management Symposium - Budapest, Hungary
Duration: 20 Apr 202024 Apr 2020


ConferenceNOMS 2020

Fingerprint Dive into the research topics of 'Discovering Collaboration: Unveiling Slow, Distributed Scanners based on Common Header Field Patterns'. Together they form a unique fingerprint.

Cite this