An Investigation into Collaborative Scanners

Manually detecting and tracking collaborative scanners’ behaviour over a prolonged period

Bachelor thesis (2024)

Authors

M. Kollert Electrical Engineering, Mathematics and Computer Science

Contributors

G. Smaragdakis Cyber Security - EEMCS (mentor)
H.J. Griffioen Cyber Security - EEMCS (mentor)
Kubilay Atasu Data-Intensive Systems - EEMCS (graduation committee member)
Faculty
Electrical Engineering, Mathematics and Computer Science, Electrical Engineering, Mathematics and Computer Science
More Info
expand_more

Published Date

27-06-2024

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

Port scanning is a technique often used by adversaries to detect vulnerable services running on a machine. There are defense mechanisms in place that can detect fast, single-source port scanning, but one of the ways to remain hidden is to distribute the scan between multiple hosts. These distributed groups of machines can divide the address space and collaboratively scan the whole Internet within minutes and remain relatively hidden.
This paper proposes a simple method to detect these collaborative scanners based on the TCP/IP header and demonstrates its efficiency. It also tracks these scanners for a longer period and describes their behavior and how they develop over time. This includes the infrastructure they utilize, the specific ports they target, and additional relevant details. This perspective has not been previously explored in the academic literature and we find it to be important such that defenders get a better understanding of the threats they are facing.