Examining Port Scan Attacks Via Data From Darknets

Port scanning is a preliminary approach that is most commonly used by hackers in order to determine vulnerable hosts that they can attack successfully. Scanning is a fully automated process that is utilized by hackers to detect machines, servers and peripherals that exist on a given network. A successful scan can yield details of machines discovered on the scanned network including device names, IP addresses, operating systems, running programs/services, usernames, groups and open ports. Scanning is usually performed prior to launching an attack. There are four different types of approaches for network port scanning;

• Horizontal scan throughout which the attacker scans the same port on multiple machines, i.e. multiple IP addresses. The attacker aims at finding hosts that expose certain services. As such, he/she scans certain port(s) on all machines, i.e. IP addresses, within a specific range of interest. Horizontal scan represents the most commonly used port scan type used by hackers nowadays. Due to the fact that such attack forms target a relatively wide range of machines, or IP addresses, rather than a single one, they usually drop into darknets.
• Vertical scan throughout which the attacker scans multiple ports on the same machine, i.e. the same IP address.
• Distributed vertical scan throughout which several sources scan multiple ports on a single IP address in a sequential manner.
• Distributed horizontal scan throughout which several sources scan the same destination port on multiple IP addresses in a sequential manner. During distributed scans, the attackers’ IP addresses change frequently which renders detection rather difficult.

Distributed vertical scans and distributed horizontal scans are often associated with collaborative attacks, which represent one of today’s most sophisticated forms of attacks that are executed by multiple attackers. Collaborative attacks are sometimes described as “next generation cyber-attacks”. Distributed denial-of-service (DDoS) attacks are forms of collaborative attacks that can involve multiple compromised machines.

A recently published study presented a novel approach that helps in discovering port scanning patterns and the properties of various port scan attacks. The new approach relies on graph mining and graph modeling. The study provides important information to security analysts regarding what services are namely targeted and the relationships among the most commonly scanned ports, which is extremely helpful in assessing the approach and skills of the attacker(s). The creators of the new approach applied their method to data obtained from a large bulk of darknet data, i.e. a full/20 network where there were no hosted services or machines to detect and study various scanning activities.

The study concluded that horizontal scanning attacks are the most common type of scan attacks used today by hackers accounting for approximately 80% of all non-Coinficker scan network traffic. The newly developed approach relies on normal modes of behavior to identify distributed scan attacks within darknet environments. The approach permits monitoring of all possible UDP and TCP ports and the alerts may be associated with different levels which reflects the relative scales of various attacks and compares them to the normal modes of behavior of the corresponding ports. The approach builds on an index, known as the BH-tree, which was introduced in 2013 to accelerate the processes of learning and detection and proved to be extremely efficient.

The experiments conducted by the developers of the approach, using data obtained from real darknet traffic, proved that the proposed method is not only efficient, but also fast. Moreover, the approach permits cleaning of anomalies within the learning data, during the learning phase, as proved throughout the experiments conducted during the study. Even though the study focused namely on distributed scan attacks, throughout which several sources attack the same port on multiple target machines, or IP addresses, this approach can be easily customized to monitor distributed scan attacks which are marked by several sources attacking multiple ports on multiple target machines, or IP addresses.

Even though the proposed approach was formulated and experimented on darknet traffic, it can be also adapted to be applied to ordinary networks and traffic across the surface web. More studies are needed though to examine the applicability and usefulness of the proposed approach in monitoring traffic on the surface web.