基于IBR的ShadowServer TCP扫描行为分析

Analysis on ShadowServer TCP scanning behavior based on IBR

为了对恶意扫描与非恶意扫描进行过滤,提出了一种基于白名单过滤非恶意扫描流量的方法.该方法首先以著名的安全机构Shadow Server Foundation的扫描主机作为白名单基础,将从Shodan搜索引擎中找出的部分ShadowServer扫描主机作为初始白名单集合.然后基于初始白名单集合以及在CERNET南京主节点边界获取的IBR流量,过滤出属于初始白名单主机的TCP扫描流量.最后通过分析这些流量的扫描行为,设计了一种完整白名单获取算法,运行算法并找出所有的白名单主机.实验结果表明,找到的白名单主机共计229个,其IP地址主要分布在4/26个网段中,在其中的3个网段内为连续地址,另一个网段内也有一定规律.此外,根据实验过程中的流量数据,提供了对30022端口和445端口(勒索病毒)扫描的两个案例及分析.

To distinguish between malicious scanning and non-malicious scanning,a method for filtering non-malicious scanning traffic based on white list is proposed. First,a well-known security agency ShadowServer Foundation's scanning hosts are used as white list and some of the ShadowServer scanning hosts from the Shodan search engine are regarded as the initial white list. Then,the TCP scanning traffic is filtered based on the initial white list and the IBR traffic acquired on the CERNET Nanjing master node boundary. Finally,by analyzing the scanning behavior of the scanning traffic,a complete white list acquisition algorithm is designed to find out all the white list hosts. The experimental results show that,a total of 229 white list hosts are found and their IP addresses are mainly distributed in 4/26 network segment,in which the three network segments have the continuous addresses and another network segment also has a certain law. In addition,based on the data obtained in the experiment,two cases and their analyses about the scanning for port 30022 and port 445( extortion virus) are provided.