Identifying and characterizing ZMap scans: a cryptanalytic approach
Johan Mazel, R\'emi Strullu
TL;DR
This paper introduces novel methods to identify ZMap scans in network traffic, enabling detection of high-speed Internet-wide scans with limited address data, and provides an in-depth analysis of their characteristics.
Contribution
The paper presents new detection techniques based on ZMap's IPv4 iteration process and evaluates their effectiveness on real-world traffic data.
Findings
Identified 28.5% of ZMap scans in real traffic
Developed methods requiring only a small number of addresses
Characterized scan targeting and speed patterns
Abstract
Network scanning tools play a major role in Internet security. They are used by both network security researchers and malicious actors to identify vulnerable machines exposed on the Internet. ZMap is one of the most common probing tools for high-speed Internet-wide scanning. We present novel identification methods based on the IPv4 iteration process of ZMap. These methods can be used to identify ZMap scans with a small number of addresses extracted from the scan. We conduct an experimental evaluation of these detection methods on synthetic, network telescope, and backbone traffic. We manage to identify 28.5% of the ZMap scans in real-world traffic. We then perform an in-depth characterization of these scans regarding, for example, targeted prefix and probing speed.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsNetwork Security and Intrusion Detection · Internet Traffic Analysis and Secure E-voting · Advanced Malware Detection Techniques