Profiling internet scanners: Spatiotemporal structures and measurement ethics

Abstract

Scanning is ubiquitous on the Internet. It assists administrators to troubleshoot their own network, researchers to survey the Internet, and malicious actors to assess the attack surface of targeted networks. As users requirements vary, scans in the wild exhibit very diverse characteristics. For example, the coverage, stealthiness and probing speed are drastically varying from one scanning IP to another. In this paper, we study 15 years of backbone traffic to understand the evolution of mass-scanning tool usage, scanning pattern and the concentration of scanning IPs (also called scanners) in small networks. We also propose a new method to classify scanning IPs' spatial and temporal structure into three profiles that reveal vastly different intent. In particular, we find that 33% of scanners repeatedly target the same set of hosts. If unsolicited, identifying this behavior provides good insights on the malicious intent of scanners. In the case of innocuous scanners, publicly documenting scanning activities and giving right to opt out are common ethical practices. Our study shows that documented scanning IPs behave differently from the vast majority of scanners. Furthermore, only 39% of these entities follow online documentation best practices.