Aggressive Internet-Wide Scanners: Network Impact and Longitudinal Characterization

Aggressive network scanners, i.e., ones with immoderate and persistent behaviors, ubiquitously search the Internet to identify insecure and publicly accessible hosts. These scanners generally lie within two main categories; i) benign research-oriented probers; ii) nefarious actors that forage for vulnerable victims and host exploitation. However, the origins, characteristics and the impact on real networks of these aggressive scanners are not well understood. In this paper, via the vantage point of a large network telescope, we provide an extensive longitudinal empirical analysis of aggressive IPv4 scanners that spans a period of almost two years. Moreover, we examine their network impact using flow and packet data from two academic ISPs. To our surprise, we discover that a non-negligible fraction of packets processed by ISP routers can be attributed to aggressive scanners. Our work aims to raise the network community's awareness for these "heavy hitters", especially the miscreant ones, whose invasive and rigorous behavior i) makes them more likely to succeed in abusing the hosts they target and ii) imposes a network footprint that can be disruptive to critical network services by incurring consequences akin to denial of service attacks.