Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope
This work addresses the challenge of identifying malicious scanning activities for network security researchers and operators, though it is incremental as it builds on existing network telescope methods.
The authors tackled the problem of detecting two-phase Internet scans by designing Spoki, a reactive network telescope that responds to TCP SYN packets and records data from the second phase of scans. They found that a predominant fraction of TCP SYNs have irregular characteristics, with scans being highly targeted, varying regionally, and often originating from malicious sources.
Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack, which remains invisible to network telescopes that only capture the first incoming packet and is not observed as a related event by honeypots. In this work, we examine Internet-wide scan traffic through Spoki, a reactive network telescope operating in real-time that we design and implement. Spoki responds to asynchronous TCP SYN packets and engages in TCP handshakes initiated in the second phase of two-phase scans. Because it is extremely lightweight it scales to large prefixes where it has the unique opportunity to record the first data sequence submitted within the TCP handshake ACK. We analyze two-phase scanners during a three months period using globally deployed Spoki reactive telescopes as well as flow data sets from IXPs and ISPs. We find that a predominant fraction of TCP SYNs on the Internet has irregular characteristics. Our findings also provide a clear signature of today's scans as: (i) highly targeted, (ii) scanning activities notably vary between regional vantage points, and (iii) a significant share originates from malicious sources.