Analysis of a “/0” stealth scan from a botnet

Jump to navigation Jump to search

(Publication) Google search: [1]

Analysis of a “/0” stealth scan from a botnet
Botnet Sality
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / November 2012
Link slash zero/analysis slash zero.pdf (Archive copy)
Author Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, Antonio Pescapé


Botnets are the most common vehicle of cyber-criminal activity.

They are used for spamming, phishing, denial of service attacks,brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February of last year. This 12-day scan originated from approximately 3 million distinct IP addresses, and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers, its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This work offers a detailed dissection of the botnet’s scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1176,
   editor = {},
   author = {Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, Antonio Pescapé},
   title = {Analysis of a “/0” stealth scan from a botnet},
   date = {01},
   month = Nov,
   year = {2012},
   howpublished = {\url{}},