There is a newer version of this record available.

Conference paper Open Access

Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope

Hiesgen, Raphael; Nawrocki, Marcin; King, Alistair; Dainotti, Alberto; Schmidt, Thomas C.; Wählisch, Matthias


DataCite XML Export

<?xml version='1.0' encoding='utf-8'?>
<resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://datacite.org/schema/kernel-4" xsi:schemaLocation="http://datacite.org/schema/kernel-4 http://schema.datacite.org/meta/kernel-4.1/metadata.xsd">
  <identifier identifierType="DOI">10.5281/zenodo.5668294</identifier>
  <creators>
    <creator>
      <creatorName>Hiesgen, Raphael</creatorName>
      <givenName>Raphael</givenName>
      <familyName>Hiesgen</familyName>
      <affiliation>HAW Hamburg</affiliation>
    </creator>
    <creator>
      <creatorName>Nawrocki, Marcin</creatorName>
      <givenName>Marcin</givenName>
      <familyName>Nawrocki</familyName>
      <affiliation>Freie Universität Berlin</affiliation>
    </creator>
    <creator>
      <creatorName>King, Alistair</creatorName>
      <givenName>Alistair</givenName>
      <familyName>King</familyName>
      <affiliation>Kentik</affiliation>
    </creator>
    <creator>
      <creatorName>Dainotti, Alberto</creatorName>
      <givenName>Alberto</givenName>
      <familyName>Dainotti</familyName>
      <affiliation>Georgia Tech; CAIDA, UC San Diego</affiliation>
    </creator>
    <creator>
      <creatorName>Schmidt, Thomas C.</creatorName>
      <givenName>Thomas C.</givenName>
      <familyName>Schmidt</familyName>
      <affiliation>HAW Hamburg</affiliation>
    </creator>
    <creator>
      <creatorName>Wählisch, Matthias</creatorName>
      <givenName>Matthias</givenName>
      <familyName>Wählisch</familyName>
      <affiliation>Freie Universität Berlin</affiliation>
    </creator>
  </creators>
  <titles>
    <title>Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope</title>
  </titles>
  <publisher>Zenodo</publisher>
  <publicationYear>2021</publicationYear>
  <subjects>
    <subject>Spoki</subject>
    <subject>Scanning</subject>
    <subject>Malware</subject>
    <subject>Internet Background Radiation</subject>
    <subject>Telescope</subject>
  </subjects>
  <dates>
    <date dateType="Issued">2021-11-10</date>
  </dates>
  <language>en</language>
  <resourceType resourceTypeGeneral="ConferencePaper"/>
  <alternateIdentifiers>
    <alternateIdentifier alternateIdentifierType="url">https://zenodo.org/record/5668294</alternateIdentifier>
  </alternateIdentifiers>
  <relatedIdentifiers>
    <relatedIdentifier relatedIdentifierType="arXiv" relationType="IsSupplementTo">arXiv:2110.05160</relatedIdentifier>
    <relatedIdentifier relatedIdentifierType="DOI" relationType="IsVersionOf">10.5281/zenodo.5668293</relatedIdentifier>
  </relatedIdentifiers>
  <rightsList>
    <rights rightsURI="https://opensource.org/licenses/MIT">MIT License</rights>
    <rights rightsURI="info:eu-repo/semantics/openAccess">Open Access</rights>
  </rightsList>
  <descriptions>
    <description descriptionType="Abstract">&lt;p&gt;Spoki is a real-time reactive network telescope. It is written in C++ and based on actors to achieve high scalability. It comes with python tools to analyze its log files, identify downloaders, and download the linked files.&lt;/p&gt;

&lt;p&gt;We used Spoki to collect the data for our paper over the course of three months. The artifact contains the source code of its essential parts. It can be used to collect the same information (given a suitable setup) and get started with the evaluation.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;NOTE:&lt;/strong&gt;&amp;nbsp;If you use our tools, please cite&amp;nbsp;&lt;a href="https://www.usenix.org/conference/usenixsecurity22/presentation/hiesgen"&gt;our paper&lt;/a&gt;&amp;nbsp;as follows:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope.
R. Hiesgen, M. Nawrocki, A. King, A. Dainotti, T. C. Schmidt, and Matthias Wählisch.
Proc. of 31st USENIX Security Symposium, 2022, Berkeley, CA, USA.&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;strong&gt;Abstract&lt;/strong&gt;&amp;nbsp;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack. This remains invisible to network telescopes, which only capture the first incoming packet, and is not observed as a related event by honeypots, either. In this work, we examine Internet-wide scan traffic through Spoki, a reactive network telescope operating in real-time that we design and implement. Spoki responds to asynchronous TCP SYN packets and engages in TCP handshakes initiated in the second phase of two-phase scans. Because it is extremely lightweight it scales to large prefixes where it has the unique opportunity to record the first data sequence submitted within the TCP handshake ACK. We analyze two-phase scanners during a three months period using globally deployed Spoki reactive telescopes as well as flow data sets from IXPs and ISPs. We find that a predominant fraction of TCP SYNs on the Internet has irregular characteristics. Our findings also provide a clear signature of today&amp;#39;s scans as: (i) highly targeted, (ii) scanning activities notably vary between regional vantage points, and (iii) a significant share originates from malicious sources.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;strong&gt;Repository structure&lt;/strong&gt;&amp;nbsp;&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;strong&gt;spoki/&lt;/strong&gt; contains the Spoki code in C++.&lt;/li&gt;
	&lt;li&gt;&lt;strong&gt;malware/&lt;/strong&gt; contains the malware tool chain in Python.&lt;/li&gt;
	&lt;li&gt;&lt;strong&gt;scripts/&lt;/strong&gt; contains scripts for the setup.&lt;/li&gt;
	&lt;li&gt;&lt;strong&gt;logs/&lt;/strong&gt; contains example data.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Please check the README files for detailed instructions.&lt;/p&gt;</description>
  </descriptions>
</resource>
89
1
views
downloads
All versions This version
Views 8954
Downloads 11
Data volume 883.8 kB883.8 kB
Unique views 7243
Unique downloads 11

Share

Cite as