Coping with Scanners
It can be argued that there is no unwanted traffic on the Internet; even scans and DDoS are wanted, usually outbound, by the miscreants running them. However there is a lot of Internet traffic we good folks don’t want, either because it consumes our links, or it shows up in query results and clouds our analysis. We’re solving the issue of scanners using the same global visibility that informs our analysis tools.
Graph 1: Shows quantities of traffic matching filters versus total
(BARS is Team Cymru’s Botnet Analysis and Reporting System)
We built a list of scanners using our global sensor data and then filtered our network visibility based on that list. What did we learn? In a six hour period, 17.535% of all traffic is to or from known scanners. Over a 24 hour period the percentage of traffic involving known scanners is 17.19%. These include port scanners, honeypot interactions, Darknet visits, SCADA probes and more.
By allowing an analyst the option of filtering out those scanners, we enable the analyst to fine tune the data to their needs. We’ve found this helps us to focus on the relevant without obviously irrelevant distractions. With the volumes of data we peruse in Augury and our other tools, this is a necessary feature. Otherwise, the flood of data from our expansive visibility becomes a glass of water to a drowning person.