Conference paper Open Access
Hiesgen, Raphael; Nawrocki, Marcin; King, Alistair; Dainotti, Alberto; Schmidt, Thomas C.; Wählisch, Matthias
Spoki is a real-time reactive network telescope. It is written in C++ and based on actors to achieve high scalability. It comes with python tools to analyze its log files, identify downloaders, and download the linked files.
We used Spoki to collect the data for our paper over the course of three months. The artifact contains the source code of its essential parts. It can be used to collect the same information (given a suitable setup) and get started with the evaluation.
NOTE: If you use our tools, please cite our paper as follows:
Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope. R. Hiesgen, M. Nawrocki, A. King, A. Dainotti, T. C. Schmidt, and Matthias Wählisch. Proc. of 31st USENIX Security Symposium, 2022, Berkeley, CA, USA.
Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack. This remains invisible to network telescopes, which only capture the first incoming packet, and is not observed as a related event by honeypots, either. In this work, we examine Internet-wide scan traffic through Spoki, a reactive network telescope operating in real-time that we design and implement. Spoki responds to asynchronous TCP SYN packets and engages in TCP handshakes initiated in the second phase of two-phase scans. Because it is extremely lightweight it scales to large prefixes where it has the unique opportunity to record the first data sequence submitted within the TCP handshake ACK. We analyze two-phase scanners during a three months period using globally deployed Spoki reactive telescopes as well as flow data sets from IXPs and ISPs. We find that a predominant fraction of TCP SYNs on the Internet has irregular characteristics. Our findings also provide a clear signature of today's scans as: (i) highly targeted, (ii) scanning activities notably vary between regional vantage points, and (iii) a significant share originates from malicious sources.
Please check the README files for detailed instructions.