Please wait a minute...
浙江大学学报(工学版)  2020, Vol. 54 Issue (8): 1550-1556    DOI: 10.3785/j.issn.1008-973X.2020.08.013
计算机技术     
基于动态暗网的互联网扫描行为分析
武秋韵(),丁伟*()
东南大学 网络空间安全学院,江苏 南京 211189
Analysis of Internet scanning behavior based on dynamic dark network
Qiu-yun WU(),Wei DING*()
College of Cyberspace Security, Southeast University, Nanjing 211189, China
 全文: PDF(753 KB)   HTML
摘要:

为了对互联网上的扫描行为进行观测,采用基于动态暗网的互联网背景辐射(IBR)流量实时采集算法实现对IBR流量的采集,并对采集到的IBR流量进行分析;设计算法过滤出扫描流量,进行面向端口的扫描行为观测. 该动态暗网是相对稳定且分散的,不易被定位,通过其获取到的IBR流量是进行扫描分析的可靠数据源. IBR流量主要由传输控制协议(TCP)、用户数据报协议(UDP)、Internet控制消息协议(ICMP)这3种协议组成,其中TCP流量占90%以上,与正常流量中3种协议的分布不同. IBR流量得到的TCP、UDP、ICMP流量都以扫描流量为主,且广泛采用水平扫描的形式. TCP、UDP的热门扫描端口都是危险端口,证明面向端口的扫描行为分析对于发现互联网中新出现的漏洞有重要作用. TCP端口扫描行为较分散,UDP端口扫描行为较集中.

关键词: 互联网背景辐射(IBR)暗网扫描检测扫描行为分析端口扫描    
Abstract:

A real-time Internet background radiation (IBR) traffic acquisition algorithm based on the dynamic dark network was used to collect IBR traffic and the collected IBR traffic was analyzed, in order to observe the scanning behavior on the Internet. An algorithm was designed to filter out the scanning traffic to observe the port-oriented scanning behavior. The dynamic dark network is relatively stable and scattered, thus it is not easily to be located. The IBR traffic obtained through it is a reliable data source for scanning analysis. IBR traffic is mainly composed of transmission control protocol (TCP), user datagram protocol (UDP) and Internet control message protocol (ICMP) protocols, of which TCP traffic accounts for more than 90%. It is different from the distribution of the three protocols in normal traffic. The TCP, UDP and ICMP traffic obtained by IBR traffic are mainly scanning traffic, of which horizontal scanning is widely used. The popular scanning ports for both TCP and UDP are dangerous ports, which proves that the port-oriented scanning behavior analysis plays an important role in discovering new vulnerabilities on the Internet. The TCP port scanning behavior is more dispersed, while the UDP port scanning behavior is more concentrated.

Key words: Internet background radiation (IBR)    dark network    scanning detection    scanning behavior analysis    port scan
收稿日期: 2019-09-20 出版日期: 2020-08-28
CLC:  TP 393.07  
基金资助: 国家重点研发计划资助项目(2018YFB1800200)
通讯作者: 丁伟     E-mail: qywu@njnet.edu.cn;wding@njnet.edu.cn
作者简介: 武秋韵(1996—),女,硕士生,从事互联网管理和安全研究. orcid.org/0000-0001-7716-8870. E-mail: qywu@njnet.edu.cn
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  
武秋韵
丁伟

引用本文:

武秋韵,丁伟. 基于动态暗网的互联网扫描行为分析[J]. 浙江大学学报(工学版), 2020, 54(8): 1550-1556.

Qiu-yun WU,Wei DING. Analysis of Internet scanning behavior based on dynamic dark network. Journal of ZheJiang University (Engineering Science), 2020, 54(8): 1550-1556.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2020.08.013        http://www.zjujournals.com/eng/CN/Y2020/V54/I8/1550

图 1  IBR流量的协议分布情况
图 2  正常流量的协议分布情况
图 3  ICMP报文分类结果
图 4  TCP报文分类结果
图 5  UDP报文分类结果
port n Pn / % Pc / % Service
23 2 020 697 594 6.212 6.212 Telnet
445 1 120 403 460 3.444 9.656 SMB
22 501 441 369 1.541 11.197 SSH
3 389 313 051 184 0.962 12.159 RDP
80 259 926 595 0.799 12.958 HTTP
37 215 225 917 093 0.694 13.652 华为路由器HG532 CVE-2017-17215漏洞
1 433 208 795 986 0.642 14.294 SQL Server
8 080 204 845 408 0.630 14.924 Alt-HTTP
5 555 203 975 022 0.627 15.551 ADB
5 038 143 645 366 0.442 15.993 Asterisk服务器侦听端口
表 1  2019年6月20日—26日TCP热门扫描端口
port n Pn / % Pc / % Service
23 1 744 165 990 5.035 5.035 Telnet
445 1 039 652 805 3.001 8.036 SMB
80 775 669 513 2.239 10.275 HTTP
22 549 943 948 1.587 11.862 SSH
3 389 347 211 413 1.002 12.864 RDP
37 215 277 886 064 0.802 13.666 华为路由器HG532 CVE-2017-17215漏洞
8 080 221 624 050 0.640 14.306 Alt-HTTP
1 433 209 356 000 0.604 14.910 SQL Server
8 545 192 044 920 0.554 15.464 以太坊通信端口
5 555 179 283 575 0.518 15.982 ADB
表 2  2019年7月4日—10日TCP热门扫描端口
port n Pn / % Pc / % Service
5 060 182 714 745 12.180 12.180 SIP
53 413 142 737 514 9.515 21.696 Netcore(Netis)路由器后门漏洞
53 57 359 489 3.824 25.520 DNS
1 900 54 719 415 3.648 29.167 SSDP
123 47 214 569 3.147 32.315 NTP
161 33 744 445 2.250 34.564 SNMP
389 31 243 000 2.083 36.647 LDAP、ILS
137 23 160 513 1.544 38.191 NetBIOS
11 211 15 765 197 1.051 39.242 Memcached
19 15 421 089 1.028 40.270 Chargen
表 3  2019年6月20日—26日UDP热门扫描端口
port n Pn / % Pc / % Service
5 060 188 249 763 10.250 10.250 SIP
53 413 81 318 222 4.428 14.677 Netcore(Netis)路由器后门漏洞
1 900 81 186 397 4.420 19.098 SSDP
123 61 200 710 3.332 22.430 NTP
53 58 530 676 3.187 25.617 DNS
389 47 914 908 2.609 28.226 LDAP、ILS
161 30 607 468 1.667 29.892 SNMP
137 22 735 052 1.238 31.130 NetBIOS
19 19 809 086 1.079 32.209 Chargen
111 15 924 692 0.867 33.076 Sun RPC
表 4  2019年7月4日—10日UDP热门扫描端口
1 WUSTROW E, KARIR M, BAILEY M, et al. Internet background radiation revisited [C]// Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement 2010. Melbourne: ACM, 2010: 62-74.
2 DAINOTTI A, AMMAN R, ABEN E, et al Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet[J]. Acm Sigcomm Computer Communication Review, 2012, 42 (1): 31- 39
doi: 10.1145/2096149.2096154
3 PANG R, YEGNESWARAN V, BARFORD P, et al. Characteristics of Internet background radiation [C]// Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement 2004. Sicily: ACM, 2004: 27-40.
4 GLATZ E, DIMITROPOULOS X Classifying Internet one-way traffic[J]. ACM SIGMETRICS Performance Evaluation Review, 2012, 40 (1): 417
doi: 10.1145/2318857.2254821
5 MOORE D, SHANNON C, VOELKER G M, et al. Network telescopes: technical report [R]. [s.l.]: Proceedings of the Cooperative Association for Internet Data Analysis, 2004.
6 BAILEY M, COOKE E, JAHANIAN F, et al. The Internet motion sensor: a distributed blackhole monitoring system [C]// Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005). San Diego: The Internet Society, 2005.
7 YEGNESWARAN V, BARFORD P, PLONKA D. On the design and use of Internet sinks for network abuse monitoring [C]// Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID 2004). Berlin: Springer-Verlag, 2004: 146-165.
8 Team cymru darknet project [EB/OL]. (2005) [2019-07-23]. http://www.team-cymru.org/Services/darknets.html.
9 JONKER M, KING A, KRUPP J, et al. Millions of targets under attack: a macroscopic characterization of the DoS ecosystem [C]// Proceedings of the 2017 Internet Measurement Conference. London: ACM, 2017: 100-113.
10 缪丽华, 丁伟, 杨望 运行网络背景辐射的获取与分析[J]. 软件学报, 2015, 26 (3): 663- 679
MIAO Li-Hua, DING Wei, YANG Wang Extracting and analyzing Internet background radiation in live networks[J]. Journal of Software, 2015, 26 (3): 663- 679
11 杨扬. 互联网背景辐射流量的获取与统计分析[D]. 南京: 东南大学, 2016.
YANG Yang. Obtaining and analyzing on Internet background radiation [D]. Nanjing: Southeast University, 2016.
12 HARROP W, ARMITAGE G. Greynets: a definition and evaluation of sparsely populated darknets [C]// Proceedings of the 2005 ACM SIGCOMM Workshop on Mining Network Data. Philadelphia: ACM, 2005: 171-172.
13 HARROP W, ARMITAGE G. Defining and evaluating greynets (sparse darknets) [C]// Proceedings of the IEEE Conference on Local Computer Networks 30th Anniversary. Sydney: IEEE Computer Society, 2005: 344-350.
14 王力. 互联网扫描行为研究[D]. 南京: 东南大学, 2018.
WANG Li. R esearch of scanning behavior on Internet [D]. Nanjing: Southeast University, 2018.
[1] 吴超,周波. 基于复杂网络的社会化标签分析[J]. J4, 2010, 44(11): 2194-2197.