%0 Conference Proceedings %T How Dangerous Is Internet Scanning? %+ Eidgenössische Technische Hochschule - Swiss Federal Institute of Technology [Zürich] (ETH Zürich) %+ Institute of Computer Science [FORTH, Heraklion] (ICS-FORTH) %+ University of California [San Diego] (UC San Diego) %A Raftopoulos, Elias %A Glatz, Eduard %A Dimitropoulos, Xenofontas %A Dainotti, Alberto %Z Part 4: Security %< avec comité de lecture %( Lecture Notes in Computer Science %B 7th Workshop on Traffic Monitoring and Analysis (TMA) %C Barcelona, Spain %Y Moritz Steiner %Y Pere Barlet-Ros %Y Olivier Bonaventure %3 Traffic Monitoring and Analysis %V LNCS-9053 %P 158-172 %8 2015-04-21 %D 2015 %R 10.1007/978-3-319-17172-2_11 %K Botnet characterization %K Network scanning %K IDS %K Netflow %Z Computer Science [cs] %Z Computer Science [cs]/Networking and Internet Architecture [cs.NI]Conference papers %X Internet scanning is a de facto background traffic noise that is not clear if it poses a dangerous threat, i.e., what happens to scanned hosts? what is the success rate of scanning? and whether the problem is worth investing significant effort and money on mitigating it, e.g., by filtering unwanted traffic? In this work we take a first look into Internet scanning from the point of view of scan repliers using a unique combination of data sets which allows us to estimate how many hosts replied to scanners and whether they were subsequently attacked in an actual network. To contain our analysis, we focus on a specific interesting scanning event that was orchestrated by the Sality botnet during February 2011 which scanned the entire IPv4 address space. By analyzing unsampled NetFlow records, we show that 2 % of the scanned hosts actually replied to the scanners. Moreover, by correlating scan replies with IDS alerts from the same network, we show that significant exploitation activity followed towards the repliers, which eventually led to an estimated 8 % of compromised repliers. These observations suggest that Internet scanning is dangerous: in our university network, at least 142 scanned hosts were eventually compromised. World-wide, the number of hosts that were compromised in response to the studied event is likely much larger. %G English %Z TC 6 %Z WG 6.6 %2 https://hal.science/hal-01411192/document %2 https://hal.science/hal-01411192/file/336978_1_En_11_Chapter.pdf %L hal-01411192 %U https://hal.science/hal-01411192 %~ IFIP-LNCS %~ IFIP %~ IFIP-TC %~ IFIP-TC6 %~ IFIP-TMA %~ IFIP-WG6-6 %~ IFIP-LNCS-9053