Aggressive network scanners, i.e., ones with immoderate and persistent behaviors, ubiquitously search the Internet to identify insecure and publicly accessible hosts. These scanners generally lie within two main categories; i) benign research-oriented probers; ii) nefarious actors that forage for vulnerable victims and host exploitation. However, the origins, characteristics and the impact on real networks of these aggressive scanners are not well understood. In this paper, via the vantage point of a large network telescope, we provide an extensive longitudinal empirical analysis of aggressive IPv4 scanners that spans a period of almost two years. Moreover, we examine their network impact using flow and packet data from two academic ISPs. To our surprise, we discover that a non-negligible fraction of packets processed by ISP routers can be attributed to aggressive scanners. Our work aims to raise the network community's awareness for these "heavy hitters", especially the miscreant ones, whose invasive and rigorous behavior i) makes them more likely to succeed in abusing the hosts they target and ii) imposes a network footprint that can be disruptive to critical network services by incurring consequences akin to denial of service attacks.

翻译：积极型网络扫描器，即具有过度且持续行为的扫描器，在互联网中广泛搜索以识别不安全且可公开访问的主机。这些扫描器通常分为两大类：（i）良性的研究型探测器；（ii）搜寻易受攻击目标并进行主机利用的恶意行为者。然而，这些积极型扫描器的来源、特征及其对真实网络的影响尚不明确。本文通过大型网络望远镜的有利视角，对积极型IPv4扫描器进行了历时近两年的广泛纵向实证分析。此外，我们利用来自两所学界互联网服务提供商的流和分组数据，考察了它们对网络的影响。令人惊讶的是，我们发现互联网服务提供商路由器处理的分组中，有不可忽视的比例可归因于积极型扫描器。本研究旨在提高网络界对这些“重量级扫描器”（尤其是其中恶意行为者）的认知，这些扫描器的侵入性和持续性行为：（i）使其更可能成功滥用所针对的主机；（ii）造成的网络足迹可能通过引发类似拒绝服务攻击的后果，对关键网络服务造成破坏性影响。