Coping with Scanners

It can be argued that there is no unwanted traffic on the Internet; even scans and DDoS are wanted, usually outbound, by the miscreants running them.  However there is a lot of Internet traffic we good folks don’t want, either because it consumes our links, or it shows up in query results and clouds our analysis.  We’re solving the issue of scanners using the same global visibility that informs our analysis tools.

Graph 1: Shows quantities of traffic matching filters versus total
(BARS is Team Cymru’s Botnet Analysis and Reporting System)

We built a list of scanners using our global sensor data and then filtered our network visibility based on that list. What did we learn? In a six hour period, 17.535% of all traffic is to or from known scanners. Over a 24 hour period the percentage of traffic involving known scanners is 17.19%. These include port scanners, honeypot interactions, Darknet visits, SCADA probes and more.

By allowing an analyst the option of filtering out those scanners, we enable the analyst to fine tune the data to their needs. We’ve found this helps us to focus on the relevant without obviously irrelevant distractions. With the volumes of data we peruse in Augury and our other tools, this is a necessary feature. Otherwise, the flood of data from our expansive visibility becomes a glass of water to a drowning person.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Up ↑

%d bloggers like this: