Revealing Informed Scanners by Colocating Reactive and Passive Telescopes

Network telescopes have been utilized for decades to detect scanning activity on the Internet. Such telescopes are typically passive, i.e., they do not reply to TCP SYN packets. Recently, reactive network telescopes that respond to TCP SYN packets have been proposed to unveil a new wave of scanners, namely two-phase scanners, and collect malicious payloads from TCP ACK packets. In this paper, we propose a methodology that combines the modus operandi of passive and reactive telescopes to identify an additional wave of scanners - that we call “informed scanners"that participate in attacks. Our main observation is that small reactive telescopes operating within larger passive telescopes are visited by “informed” clients that are aware of the liveness of hosts without performing scanning themselves; thus, are not visible in the passive telescope. We identify these informed clients as an additional class of highly targeted scanners and attackers. Indeed, by operating a /25 reactive telescope within a /16 passive telescope, we can filter out routine and two-phase scanning activity from informed one and identify clients that participate in service-targeted attacks. We discuss the scalability and sensitivity of our methodology and how it can be used to swiftly identify and profile malicious hosts on the Internet. We show that “mini-telescopes” of relatively smaller sizes, such as /20, can be comparably effective as larger sizes, such as a /16. Thus, our methodology can be useful to security operators that may only be able to allocate a relatively small address space to run a telescope.