Have you SYN me? Characterizing Ten Years of Internet Scanning

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

22 Downloads (Pure)

Abstract

Port scanning is the de-facto method to enumerate active hosts and potentially exploitable services on the Internet. Over the last years, several studies have quantified the ecosystem of port scanning. Each work has found drastic changes in the threat landscape compared to the previous one, and since the advent of high-performance scanning tools and botnets a lot has changed in this highly volatile ecosystem.
Based on a unique dataset of Internet-wide scanning traffic collected in a large network telescope, we provide an assessment of Internet-wide TCP scanning with measurement periods in the last 10 years (2015 to 2024). We collect over 750 million scanning campaigns sending more than 45 billion packets and report on the evolution and developments of actors, their tooling, and targets. We find that Internet scanning has increased 30-fold over the last ten years, but the number and speed of scans have not developed at the same pace. We report that the ecosystem is extremely volatile, where targeted ports and geographical scanner locations drastically change at the level of weeks or months. We thus find that for an accurate understanding of the ecosystem we need longitudinal assessments. We show that port scanning becomes heavily commoditized, and many scanners target multiple ports. By 2024, well-known scanning institutions are targeting the entire IPv4 space and the entire port range.
Original languageEnglish
Title of host publicationHave you SYN me? Characterizing Ten Years of Internet Scanning
Number of pages16
ISBN (Electronic)979-8-4007-0592-2
DOIs
Publication statusPublished - 2024

Fingerprint

Dive into the research topics of 'Have you SYN me? Characterizing Ten Years of Internet Scanning'. Together they form a unique fingerprint.

Cite this