Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack, which remains invisible to network telescopes that only capture the first incoming packet and is not observed as a related event by honeypots. In this work, we examine Internet-wide scan traffic through Spoki, a reactive network telescope operating in real-time that we design and implement. Spoki responds to asynchronous TCP SYN packets and engages in TCP handshakes initiated in the second phase of two-phase scans. Because it is extremely lightweight it scales to large prefixes where it has the unique opportunity to record the first data sequence submitted within the TCP handshake ACK. We analyze two-phase scanners during a three months period using globally deployed Spoki reactive telescopes as well as flow data sets from IXPs and ISPs. We find that a predominant fraction of TCP SYNs on the Internet has irregular characteristics. Our findings also provide a clear signature of today's scans as: (i) highly targeted, (ii) scanning activities notably vary between regional vantage points, and (iii) a significant share originates from malicious sources.

翻译：大型互联网扫描是识别特定袭击受害者的一种常见方法。 像 ZMap 那样的静态扫描已被确定为在ZMap 这样的静态扫描是一种高效的互联网测试方法。 但是, 静态扫描需要第二阶段来进行攻击, 网络望远镜仍然看不见, 网络望远镜只能捕捉第一个进货包, 蜂蜜罐没有观察到与此相关的事件。 在这项工作中, 我们检查通过Spoki 进行实时运行的被动网络望远镜Spoki 进行网络扫描。 Spoki 响应不同步的 TCP SYN 软件包, 并参与在第二阶段两阶段扫描中启动的 TCP 手握。 因为它的重量极轻到大前缀, 因为它拥有独特的机会记录在TCP Hocke ACK中提交的第一个数据序列。 我们用全球部署的Spoki 被动反应望远镜以及来自 IXP 和 ISP 的流数据组在三个月内分析两阶段的扫描器。 我们发现, TCP SYN 的主要部分, 在互联网的双级扫描源之间, 明显有非正常的特征( ) 。