Analysis of a "/0" stealth scan from a botnet

Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Volumn , Issue , 2012, Pages 1-13

  Dainotti, Alberto ^a   King, Alistair ^a   Claffy, Kc ^a   Papale, Ferdinando ^b   Pescapè, Antonio ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b UNIVERSITY OF NAPLES FEDERICO II   (Italy)

Author keywords

bot; botnet; coordination; covert; darknet; internet background radiation; network telescope; probing; sality; scan; sip; stealth; voip

Indexed keywords

BOT; BOTNET; COORDINATION; COVERT; DARKNET; INTERNET BACKGROUND RADIATION; NETWORK TELESCOPES; PROBING; SALITY; SCAN; SIP; STEALTH; VOIP;

BEHAVIORAL RESEARCH; INTERNET; INTERNET PROTOCOLS; INTERNET TELEPHONY; OPTICAL TELESCOPES; SCANNING; TELESCOPES; VOICE/DATA COMMUNICATION SYSTEMS;

COMPUTER CRIME;

EID: 84870877621     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2398776.2398778     Document Type: Conference Paper

References (65)

1. AfriNIC: The Registry of Internet Number Resources for Africa. http://www.afrinic.net.
2. Cuttlefish. http://www.caida.org/tools/ visualization/cuttlefish/.
3. RIPE NCC: Routing Information Service (RIS). http://www.ripe.net/ datatools/stats/ris/routing-information-service.
4. Secureworks. ozdok/mega-d trojan analysis. http://www.secureworks.com/ research/threats/ozdok/.
5. tcpdump. http://www.tcpdump.org.
6. The asterisk-users mailing-list archives. http://lists.digium.com/ pipermail/asteriskusers/2010-November/thread.html, November 2010.
7. UCSD Network Telescope, 2010. http://www.caida.org/data/passive/network- telescope.xml.
8. The voipsec mailing-list archives. http://voipsa.org/pipermail/voipsec- voipsa.org/2010-November/thread.html, November 2010.
9. M. Abu Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, IMC '06, pages 41-52, New York, NY, USA, 2006. ACM.
10. P. Bacher, T. Holz, M. Kotter, and G. Wicherski. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots, 2008.
11. P. Barford and V. Yegneswaran. An Inside Look at Botnets. In M. Christodorescu, S. Jha, D. Maughan, D. Song, and C. Wang, editors, Malware Detection, volume 27 of Advanced in Information Security. Springer, 2006.
12. P. Barford and V. Yegneswaran. An Inside Look at Botnets. Advances in Information Security, Malware Detection, vol. 27, 2007, Springer.
13. CAIDA. Supplemental data: Analysis of a "/0" Stealth Scan from a Botnet. http://www.caida.org/publications/papers/2012/analysis-slash-zero/ supplemental/, 2012.
14. C. Castelluccia, M. A. Kaafar, P. Manils, and D. Perito. Geolocalization of proxied services and its application to fast-flux hidden servers. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference, IMC '09, pages 184-189, New York, NY, USA, 2009. ACM.
15. J. Cheng. Symantec: Flashback botnet could generate up to $10k per day in ad clicks. http://arstechnica.com/apple/2012/05/symantec-flashback- botnet-could-generate-up-to-10kper-day-in-ad-clicks/, May 1 2012.
16. C. Y. Cho, D. Babi ć, E. C. R. Shin, and D. Song. Inference and analysis of formal models of botnet command and control protocols. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 426-439, New York, NY, USA, 2010. ACM.
17. E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: understanding, detecting, and disrupting botnets. In Proceedings of the Steps to Reducing Unwanted Traffic on the Internet, SRUTI'05, pages 6-6, Berkeley, CA, USA, 2005. USENIX Association.
18. D. Dagon, G. Gu, C. Lee, and W. Lee. A taxonomy of botnet structures. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pages 325-339, dec. 2007.
19. A. Dainotti, C. Squarcella, E. Aben, K. C. Claffy, M. Chiesa, M. Russo, and A. Pescapé. Analysis of country-wide internet outages caused by censorship. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, IMC '11, pages 1-18, New York, NY, USA, 2011. ACM.
20. J. Davis. Hackers take down the most wired country in europe. http://www.wired.com/politics/security/magazine/15-09/ff-estonia, July 1 2011.
21. Duane Wessels. Mapping the IPv4 address space, 2009. http://maps. measurement-factory.com/.
22. N. Falliere. A distributed cracker for voip. http://www.symantec.com/ connect/blogs/distributed-cracker-voip, February 15 2011.
23. N. Falliere. Sality: Story of a peer-to-peer viral network. http://www.symantec.com/content/en/us/enterprise/media/security-response/ whitepapers/sality-peer-to-peer-viral-network.pdf, July 2011.
24. S. Gauci. 11 million Euro loss in VoIP fraud.. and my VoIP logs, December 2010. http://blog.sipvicious.org/2010/12/11-millioneuro-loss-in-voip-fraud-and. html.
25. S. Gauci. Distributed sip scanning during halloween weekend. http://blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html, Nov 4 2010.
26. S. Gauci. Sipvicious. tools for auditing sip based voip systems. http://code.google.com/p/sipvicious/, Apr 2012.
27. C. W. Group. Conficker working group lessons learned. http://www.confickerworkinggroup.org/wiki/uploads/Conficker-Working-Group- Lessons-Learned-17-June-2010-final.pdf, June 2010.
28. M. W. group. Guidelines for protecting user privacy in wide traffic traces. http://mawi.wide.ad.jp/mawi/guideline.txt, Oct 1999.
29. M. W. group. Mawi working group traffic archive. http://mawi.wide.ad.jp, Apr 2012.
30. M. Gruber, F. Fankhauser, S. Taber, C. Schanes, and T. Grechenig. Security status of voip based on the observation of real-world attacks on a honeynet. In Privacy, security, risk and trust (passat), IEEE third international conference on social computing (socialcom), pages 1041-1047, oct. 2011.
31. G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
32. J. Heidemann, Y. Pradkin, R. Govindan, C. Papadopoulos, G. Bartlett, and J. Bannister. Census and survey of the visible internet. In Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, IMC '08, pages 169-182, New York, NY, USA, 2008. ACM.
33. T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET'08, pages 9:1-9:9, Berkeley, CA, USA, 2008.
34. S. Institute. Dshield.org: Distributed intrusion detection system. http://www.dshield.org, Apr 2012.
35. C. Kanich, N. Weavery, D. McCoy, T. Halvorson, C. Kreibichy, K. Levchenko, V. Paxson, G. M. Voelker, and S. Savage. Show me the money: characterizing spam-advertised revenue. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 15-15, Berkeley, CA, USA, 2011. USENIX Association.
36. C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamcraft: an inside look at spam campaign orchestration. In Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, LEET'09, pages 4-4, Berkeley, CA, USA, 2009. USENIX Association.
37. D. Leonard and D. Loguinov. Demystifying service discovery: implementing an internet-wide scanner. In Proceedings of the 10th annual conference on Internet measurement, IMC '10, pages 109-122, New York, NY, USA, 2010. ACM.
38. Z. Li, A. Goyal, and Y. Chen. Honeynet-based botnet scan traffic analysis. In W. Lee, C. Wang, and D. Dagon, editors, Botnet Detection, volume 36 of Advances in Information Security, pages 25-44. Springer, 2008.
39. Z. Li, A. Goyal, Y. Chen, and V. Paxson. Towards situational awareness of large-scale botnet probing events. Information Forensics and Security, IEEE Transactions on, 6(1):175-188, march 2011.
40. W. Lu, M. Tavallaee, and A. A. Ghorbani. Automatic discovery of botnet communities on large-scale communication networks. ASIACCS '09, pages 1-10, New York, NY, USA, 2009. ACM.
41. MaxMind. MaxMind GeoLite Country: Open Source IP Address to Country Database. http://www.maxmind.com/app/geolitecountry.
42. C. Mullaney. Android.bmaster: A million-dollar mobile botnet. http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile- botnet, February 9 2012.
43. R. Munroe. xkcd: Map of the Internet. http://xkcd.com/195/, 2006.
44. M. D. Network. bind function. http://msdn.microsoft.com/enus/library/ ms737550%28VS.85%29.aspx, 2012.
45. A. Pathak, F. Qian, Y. C. Hu, Z. M. Mao, and S. Ranjan. Botnet spam campaigns can be long lasting: evidence, implications, and analysis. SIGMETRICS '09, pages 13-24, New York, NY, USA, 2009. ACM.
46. P. Porras, H. Saidi, and V. Yegneswaran. Conficker. Technical report, SRI International, Mar 2009.
47. A. H. Project. Sip brute force attack originating from amazon ec2 hosts. http://honeynet.org.au/?q=sunday-scanner, October 25 2010.
48. A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. SIGCOMM '06, pages 291-302, New York, NY, USA, 2006. ACM.
49. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler. SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard), June 2002.
50. H. Sagan. Space-filling curves. Universitext. New York: Springer-Verlag. xv, 193 p. DM 54.00; öS 421.20; sFr. 54.00 , 1994.
51. S. Sarat and A. Terzis. Measuring the storm worm network, October 2007.
52. S. Sheldon. Sip brute force attack originating from amazon ec2 hosts. http://www.stuartsheldon.org/blog/2010/04/sipbrute-force-attack-originating- from-amazonec2-hosts/, April 11 2010.
53. S. Sheldon. Sip brute force attacks escalate over halloween weekend. http://www.stuartsheldon.org/blog/2010/11/sipbrute-force-attacks-escalate-over- halloweenweekend/, Nov 1 2010.
54. S. Shin and G. Gu. Conficker and beyond: a large-scale empirical study. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, pages 151-160, New York, NY, USA, 2010. ACM.
55. S. Shin, G. Gu, N. Reddy, and C. Lee. A large-scale empirical study of conficker. Information Forensics and Security, IEEE Transactions on, 7(2):676-690, april 2012.
56. S. Shin, Z. Xu, and G. Gu. EFFORT: Efficient and Effective Bot Malware Detection. In Proceedings of the 31th Annual IEEE Conference on Computer Communications (INFOCOM'12) Mini-Conference, March 2012.
57. S. Staniford, V. Paxson, and N. Weaver. How to own the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium, pages 149-167, Berkeley, CA, USA, 2002. USENIX Association.
58. J. Stewart. Protocols and encryption of the storm botnet. http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH-US-08-Stewart- Protocols-of-the-Storm.pdf., 2008.
59. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM conference on Computer and communications security, CCS '09, pages 635-647, New York, NY, USA, 2009. ACM.
60. University of Oregon. University of Oregon Route Views project. http://www.routeviews.org.
61. Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: signatures and characteristics. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication, SIGCOMM '08, pages 171-182, New York, NY, USA, 2008. ACM.
62. V. Yegneswaran, P. Barford, and V. Paxson. Using honeynets for internet situational awareness. In Fourth Workshop on Hot Topics in Networks (HotNets IV), 2005.
63. M. Zalewski. p0f v3. http://lcamtuf.coredump.cx/p0f3/, 2012.
64. L. Zeltser. Targeting VoIP: Increase in SIP Connections on UDP port 5060. http://isc.sans.edu/diary.html?storyid=9193, July 2010.
65. C. C. Zou, L. Gao,W. Gong, and D. Towsley. Monitoring and early warning for internet worms. In Proceedings of the 10th ACM conference on Computer and communications security, CCS '03, pages 190-199, New York, NY, USA, 2003. ACM.