Analysis of Local Address Scanning by Puppetnets

Abstract

Puppetnets are created when a web server hosts a page that when loaded simultaneously by many users causes malicious behavior; there are a wide variety of means by which puppetnets can cause mischief. This paper analyzes the behavior and effectiveness of puppetnets for Internet reconnaissance-methodical means of discovering live IP addresses-as a prelude to another attack. We consider local reconnaissance, in which the client reconnoiters addresses in its local IP neighborhood. We focus on mod eling critical facets that impact coverag-the fraction of addresses analyzed-as a function of time. We prove that certain scanning strategies are superior to others, and de velop formulae that describe the inefficiencies due to lack of coordination. Finally we use the model to estimate how global Internet coverage grows as a function of time, under generous assumptions about the size of puppetnet and length of script execution. We see that even a strategy that focuses on exploring blocks of adjacent live addresses may take days to map a significant fraction of the Internet address space.