Could attackers change their IP address scanning technique to scan a larger address space with more stealth and identify hosts or services that are vulnerable to attack more efficiently? It's absolutely possible. Let me explain how.
Attackers and penetration testers use various scanning techniques to identify hosts in target networks. In a basic scan, an attacker or tester targets an IP subnet (an address block or range of IP addresses), sends traffic to the addresses within that block or range, and composes a list or enumeration of the hosts that respond.
Attackers or testers use different kinds of network traffic (ping scans, TCP SYN scans, UDP scans) to meet their scanning needs. For example, a network admin who desires speed or efficiency may choose a ping scan, which is fast but easy to detect and more likely to miss hosts behind firewalls. An attacker may choose a TCP SYN scan, which is slow but more reliable and (when randomized) harder to detect. By issuing application-specific messages, the attacker can also identify services -- Web, mail, VoIP, etc. (see Port scanning) Once this intel is gathered, the attacker can probe for specific vulnerabilities on the systems being enumerated.
Firewalls and other intrusion detection systems generally can detect network scans, for example, by monitoring how frequently traffic arrives from the same origin addresses, whether that traffic targets the same destination port (http/80, smtp/25) as it tries each address in the monitored IP block, and whether the destination addresses in traffic increment monotonically or in another readily observable pattern. Detection using parameters of this kind is manageable, because the monitoring has to observe a modest number of possible host addresses in any given network.
Now back to my original question: How could you change network scanning to do this with more stealth across a larger address space -- say, the entire IPv4 space (known as /0)? You might consider tossing the conventional scanning features out the window. For example:
- Don't monotonically increase addresses from the low-order bytes ("d" and possibly low-order bits of "c" of the a.b.c.d "dotted quad" representation of IPv4 addresses).
- Don't scan the same space too quickly (over a relatively short time interval).
- Don't scan from spoofed IPv4 addresses. • Don't scan too frequently and from the same legitimate IPv4 blocks or ASs.
These are characteristics that researchers from the Cooperative Association for Internet Data Analysis (CAIDA) and the University of Napoli Federico II observed from CAIDA's darknet over a 12-day period, correlated with other data sources, and attributed to a botnet called Sality. In their paper, the researchers describe how the botnet authors distributed and coordinated a scan for VoIP servers across the IPv4 address space from about 3 million bots. The botnet used a scanning strategy "based on reverse-byte sequential increments of target IP addresses," the paper says. Unlike scans that sweep through the lowest-order (host) bits of a given IP network, the botnet operators parceled out chunks of the higher-order (network) bits to different bots, directed each bot to scan only portions of the host bits in its assigned chunks, and collected the addresses of hosts that each bot identified. This sophisticated "orchestration" results in a scanning pattern that maximizes coverage and overlap but is unlikely to be detected by current automation methods.
This discovery will attract considerable attention because the scanning technique is a radical departure from previously known techniques. No one really knows how long this technique has been in use. The discovery is worrisome, but you can help your partners best by putting this threat into context by sharing these messages:
- Network scans may become more diverse and sophisticated in the future.
- Current scan detection methods won't detect scans of this kind.
- The detection methodology used by the researchers involved data collection and analysis from multiple and considerable resources, and it's unclear how or when security systems will be able to detect such scans.
Temper your message by reminding your IT staff or business partners that network scanning is a means by which attackers identify and acquire targets. In other words, worry less over whether you are detecting scans and more over whether the services operating on your hosts that any scan identifies are hardened against attack.