{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T18:27:23Z","timestamp":1773772043121,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":65,"publisher":"ACM","license":[{"start":{"date-parts":[[2012,11,14]],"date-time":"2012-11-14T00:00:00Z","timestamp":1352851200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2012,11,14]]},"DOI":"10.1145\/2398776.2398778","type":"proceedings-article","created":{"date-parts":[[2012,11,20]],"date-time":"2012-11-20T15:50:26Z","timestamp":1353426626000},"page":"1-14","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":55,"title":["Analysis of a \"\/0\" stealth scan from a botnet"],"prefix":"10.1145","author":[{"given":"Alberto","family":"Dainotti","sequence":"first","affiliation":[{"name":"CAIDA, UCSD, La Jolla, California, USA"}]},{"given":"Alistair","family":"King","sequence":"additional","affiliation":[{"name":"CAIDA, UCSD, La Jolla, California, USA"}]},{"given":"kc","family":"Claffy","sequence":"additional","affiliation":[{"name":"CAIDA, UCSD, La Jolla, California, USA"}]},{"given":"Ferdinando","family":"Papale","sequence":"additional","affiliation":[{"name":"University of Napoli Federico II, Naples, Italy"}]},{"given":"Antonio","family":"Pescap\u00e8","sequence":"additional","affiliation":[{"name":"University of Napoli Federico II, Naples, Italy"}]}],"member":"320","published-online":{"date-parts":[[2012,11,14]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"AfriNIC: The Registry of Internet Number Resources for Africa. http:\/\/www.afrinic.net.  AfriNIC: The Registry of Internet Number Resources for Africa. http:\/\/www.afrinic.net."},{"key":"e_1_3_2_2_2_1","unstructured":"Cuttlefish. http:\/\/www.caida.org\/tools\/visualization\/cuttlefish\/.  Cuttlefish. http:\/\/www.caida.org\/tools\/visualization\/cuttlefish\/."},{"key":"e_1_3_2_2_3_1","unstructured":"RIPE NCC: Routing Information Service (RIS). http:\/\/www.ripe.net\/data-tools\/stats\/ris\/routing-information-service.  RIPE NCC: Routing Information Service (RIS). http:\/\/www.ripe.net\/data-tools\/stats\/ris\/routing-information-service."},{"key":"e_1_3_2_2_4_1","unstructured":"Secureworks. ozdok\/mega-d trojan analysis. http:\/\/www.secureworks.com\/research\/threats\/ozdok\/.  Secureworks. ozdok\/mega-d trojan analysis. http:\/\/www.secureworks.com\/research\/threats\/ozdok\/."},{"key":"e_1_3_2_2_5_1","unstructured":"tcpdump. http:\/\/www.tcpdump.org.  tcpdump. http:\/\/www.tcpdump.org."},{"key":"e_1_3_2_2_6_1","unstructured":"The asterisk-users mailing-list archives. http:\/\/lists.digium.com\/pipermail\/asterisk-users\/2010-November\/thread.html November 2010.  The asterisk-users mailing-list archives. http:\/\/lists.digium.com\/pipermail\/asterisk-users\/2010-November\/thread.html November 2010."},{"key":"e_1_3_2_2_7_1","unstructured":"UCSD Network Telescope 2010. http:\/\/www.caida.org\/data\/passive\/network_telescope.xml.  UCSD Network Telescope 2010. http:\/\/www.caida.org\/data\/passive\/network_telescope.xml."},{"key":"e_1_3_2_2_8_1","unstructured":"The voipsec mailing-list archives. http:\/\/voipsa.org\/pipermail\/voipsec_voipsa.org\/2010-November\/thread.html November 2010.  The voipsec mailing-list archives. http:\/\/voipsa.org\/pipermail\/voipsec_voipsa.org\/2010-November\/thread.html November 2010."},{"key":"e_1_3_2_2_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1177080.1177086"},{"key":"e_1_3_2_2_10_1","unstructured":"P. Bacher T. Holz M. Kotter and G. Wicherski. Know your enemy: Tracking botnets. http:\/\/www.honeynet.org\/papers\/bots 2008.  P. Bacher T. Holz M. Kotter and G. Wicherski. Know your enemy: Tracking botnets. http:\/\/www.honeynet.org\/papers\/bots 2008."},{"key":"e_1_3_2_2_11_1","unstructured":"P.\n       \n      Barford\n     and \n      \n      \n      V.\n       \n      Yegneswaran\n      \n  \n  . \n  An Inside Look at Botnets. In M. Christodorescu S. Jha D. Maughan D. Song and C. Wang editors Malware Detection volume \n  27\n   of \n  Advanced in Information Security\n  . \n  Springer 2006\n  .  P. Barford and V. Yegneswaran. An Inside Look at Botnets. In M. Christodorescu S. Jha D. Maughan D. Song and C. Wang editors Malware Detection volume 27 of Advanced in Information Security. Springer 2006."},{"key":"e_1_3_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-44599-1_8"},{"key":"e_1_3_2_2_13_1","unstructured":"CAIDA. Supplemental data: Analysis of a \"\/0\" Stealth Scan from a Botnet. http:\/\/www.caida.org\/publications\/papers\/2012\/analysis_slash_zero\/supplemental\/ 2012.  CAIDA. Supplemental data: Analysis of a \"\/0\" Stealth Scan from a Botnet. http:\/\/www.caida.org\/publications\/papers\/2012\/analysis_slash_zero\/supplemental\/ 2012."},{"key":"e_1_3_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1644893.1644915"},{"key":"e_1_3_2_2_15_1","unstructured":"J. Cheng. Symantec: Flashback botnet could generate up to$10k per day in ad clicks. http:\/\/arstechnica.com\/apple\/2012\/05\/symantec-flashback-botnet-could-generate-up-to-10k-per-day-in-ad-clicks\/ May 1 2012.  J. Cheng. Symantec: Flashback botnet could generate up to$10k per day in ad clicks. http:\/\/arstechnica.com\/apple\/2012\/05\/symantec-flashback-botnet-could-generate-up-to-10k-per-day-in-ad-clicks\/ May 1 2012."},{"key":"e_1_3_2_2_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866355"},{"key":"e_1_3_2_2_17_1","first-page":"6","volume-title":"Proceedings of the Steps to Reducing Unwanted Traffic on the Internet, SRUTI'05","author":"Cooke E.","year":"2005"},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.44"},{"key":"e_1_3_2_2_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068818"},{"key":"e_1_3_2_2_20_1","unstructured":"J. Davis. Hackers take down the most wired country in europe. http:\/\/www.wired.com\/politics\/security\/magazine\/15-09\/ff_estonia July 1 2011.  J. Davis. Hackers take down the most wired country in europe. http:\/\/www.wired.com\/politics\/security\/magazine\/15-09\/ff_estonia July 1 2011."},{"key":"e_1_3_2_2_21_1","unstructured":"Duane Wessels. Mapping the IPv4 address space 2009. http:\/\/maps.measurement-factory.com\/.  Duane Wessels. Mapping the IPv4 address space 2009. http:\/\/maps.measurement-factory.com\/."},{"key":"e_1_3_2_2_22_1","unstructured":"N. Falliere. A distributed cracker for voip. http:\/\/www.symantec.com\/connect\/blogs\/distributed-cracker-voip February 15 2011.  N. Falliere. A distributed cracker for voip. http:\/\/www.symantec.com\/connect\/blogs\/distributed-cracker-voip February 15 2011."},{"key":"e_1_3_2_2_23_1","unstructured":"N. Falliere. Sality: Story of a peer-to-peer viral network. http:\/\/www.symantec.com\/content\/en\/us\/enterprise\/media\/security_response\/whitepapers\/sality_peer_to_peer_viral_network.pdf July 2011.  N. Falliere. Sality: Story of a peer-to-peer viral network. http:\/\/www.symantec.com\/content\/en\/us\/enterprise\/media\/security_response\/whitepapers\/sality_peer_to_peer_viral_network.pdf July 2011."},{"key":"e_1_3_2_2_24_1","unstructured":"S. Gauci. 11 million Euro loss in VoIP fraud.. and my VoIP logs December 2010. http:\/\/blog.sipvicious.org\/2010\/12\/11-million-euro-loss-in-voip-fraud-and.html.  S. Gauci. 11 million Euro loss in VoIP fraud.. and my VoIP logs December 2010. http:\/\/blog.sipvicious.org\/2010\/12\/11-million-euro-loss-in-voip-fraud-and.html."},{"key":"e_1_3_2_2_25_1","unstructured":"S. Gauci. Distributed sip scanning during halloween weekend. http:\/\/blog.sipvicious.org\/2010\/11\/distributed-sip-scanning-during.html Nov 4 2010.  S. Gauci. Distributed sip scanning during halloween weekend. http:\/\/blog.sipvicious.org\/2010\/11\/distributed-sip-scanning-during.html Nov 4 2010."},{"key":"e_1_3_2_2_26_1","unstructured":"S. Gauci. Sipvicious. tools for auditing sip based voip systems. http:\/\/code.google.com\/p\/sipvicious\/ Apr 2012.  S. Gauci. Sipvicious. tools for auditing sip based voip systems. http:\/\/code.google.com\/p\/sipvicious\/ Apr 2012."},{"key":"e_1_3_2_2_27_1","unstructured":"C. W. Group. Conficker working group lessons learned. http:\/\/www.confickerworkinggroup.org\/wiki\/uploads\/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf June 2010.  C. W. Group. Conficker working group lessons learned. http:\/\/www.confickerworkinggroup.org\/wiki\/uploads\/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf June 2010."},{"key":"e_1_3_2_2_28_1","unstructured":"M. W. group. Guidelines for protecting user privacy in wide traffic traces. http:\/\/mawi.wide.ad.jp\/mawi\/guideline.txt Oct 1999.  M. W. group. Guidelines for protecting user privacy in wide traffic traces. http:\/\/mawi.wide.ad.jp\/mawi\/guideline.txt Oct 1999."},{"key":"e_1_3_2_2_29_1","unstructured":"M. W. group. Mawi working group traffic archive. http:\/\/mawi.wide.ad.jp Apr 2012.  M. W. group. Mawi working group traffic archive. http:\/\/mawi.wide.ad.jp Apr 2012."},{"key":"e_1_3_2_2_30_1","first-page":"1041","volume-title":"Privacy, security, risk and trust (passat)","author":"Gruber M.","year":"2011"},{"key":"e_1_3_2_2_31_1","volume-title":"Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08)","author":"Gu G.","year":"2008"},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1452520.1452542"},{"key":"e_1_3_2_2_33_1","first-page":"1","volume-title":"Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET'08","author":"Holz T.","year":"2008"},{"key":"e_1_3_2_2_34_1","unstructured":"S. Institute. Dshield.org: Distributed intrusion detection system. http:\/\/www.dshield.org Apr 2012.  S. Institute. Dshield.org: Distributed intrusion detection system. http:\/\/www.dshield.org Apr 2012."},{"key":"e_1_3_2_2_35_1","first-page":"15","volume-title":"Proceedings of the 20th USENIX conference on Security, SEC'11","author":"Kanich C.","year":"2011"},{"key":"e_1_3_2_2_36_1","first-page":"4","volume-title":"Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, LEET'09","author":"Kreibich C.","year":"2009"},{"key":"e_1_3_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1879141.1879156"},{"key":"e_1_3_2_2_38_1","unstructured":"Z.\n       \n      Li A.\n       \n      Goyal and \n      \n      \n      Y.\n       \n      Chen\n      \n  \n  . \n  Honeynet-based botnet scan traffic analysis. In W. Lee C. Wang and D. Dagon editors Botnet Detection volume \n  36\n   of \n  Advances in Information Security pages \n  25\n  --\n  44\n  . \n  Springer 2008\n  .  Z. Li A. Goyal and Y. Chen. Honeynet-based botnet scan traffic analysis. In W. Lee C. Wang and D. Dagon editors Botnet Detection volume 36 of Advances in Information Security pages 25--44. Springer 2008."},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2010.2086445"},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1533057.1533062"},{"key":"e_1_3_2_2_41_1","unstructured":"MaxMind. MaxMind GeoLite Country: Open Source IP Address to Country Database. http:\/\/www.maxmind.com\/app\/geolitecountry.  MaxMind. MaxMind GeoLite Country: Open Source IP Address to Country Database. http:\/\/www.maxmind.com\/app\/geolitecountry."},{"key":"e_1_3_2_2_42_1","unstructured":"C. Mullaney. Android.bmaster: A million-dollar mobile botnet. http:\/\/www.symantec.com\/connect\/blogs\/androidbmaster-million-dollar-mobile-botnet February 9 2012.  C. Mullaney. Android.bmaster: A million-dollar mobile botnet. http:\/\/www.symantec.com\/connect\/blogs\/androidbmaster-million-dollar-mobile-botnet February 9 2012."},{"key":"e_1_3_2_2_43_1","unstructured":"R. Munroe. xkcd: Map of the Internet. http:\/\/xkcd.com\/195\/ 2006.  R. Munroe. xkcd: Map of the Internet. http:\/\/xkcd.com\/195\/ 2006."},{"key":"e_1_3_2_2_44_1","unstructured":"M. D. Network. bind function. http:\/\/msdn.microsoft.com\/en-us\/library\/ms737550%28VS.85%29.aspx 2012.  M. D. Network. bind function. http:\/\/msdn.microsoft.com\/en-us\/library\/ms737550%28VS.85%29.aspx 2012."},{"key":"e_1_3_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/1555349.1555352"},{"key":"e_1_3_2_2_46_1","volume-title":"SRI International","author":"Porras P.","year":"2009"},{"key":"e_1_3_2_2_47_1","unstructured":"A. H. Project. Sip brute force attack originating from amazon ec2 hosts. http:\/\/honeynet.org.au\/?q=sunday_scanner October 25 2010.  A. H. Project. Sip brute force attack originating from amazon ec2 hosts. http:\/\/honeynet.org.au\/?q=sunday_scanner October 25 2010."},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/1159913.1159947"},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"crossref","unstructured":"J. Rosenberg H. Schulzrinne G. Camarillo A. Johnston J. Peterson R. Sparks M. Handley and E. Schooler. SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard) June 2002.   J. Rosenberg H. Schulzrinne G. Camarillo A. Johnston J. Peterson R. Sparks M. Handley and E. Schooler. SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard) June 2002.","DOI":"10.17487\/rfc3261"},{"key":"e_1_3_2_2_50_1","unstructured":"H. Sagan. Space-filling curves. Universitext. New York: Springer-Verlag. xv 193 p. DM 54.00; \u00f6S 421.20; sFr. 54.00 1994.  H. Sagan. Space-filling curves. Universitext. New York: Springer-Verlag. xv 193 p. DM 54.00; \u00f6S 421.20; sFr. 54.00 1994."},{"key":"e_1_3_2_2_51_1","unstructured":"S. Sarat and A. Terzis. Measuring the storm worm network October 2007.  S. Sarat and A. Terzis. Measuring the storm worm network October 2007."},{"key":"e_1_3_2_2_52_1","unstructured":"S. Sheldon. Sip brute force attack originating from amazon ec2 hosts. http:\/\/www.stuartsheldon.org\/blog\/2010\/04\/sip-brute-force-attack-originating-from-amazon-ec2-hosts\/ April 11 2010.  S. Sheldon. Sip brute force attack originating from amazon ec2 hosts. http:\/\/www.stuartsheldon.org\/blog\/2010\/04\/sip-brute-force-attack-originating-from-amazon-ec2-hosts\/ April 11 2010."},{"key":"e_1_3_2_2_53_1","unstructured":"S. Sheldon. Sip brute force attacks escalate over halloween weekend. http:\/\/www.stuartsheldon.org\/blog\/2010\/11\/sip-brute-force-attacks-escalate-over-halloween-weekend\/ Nov 1 2010.  S. Sheldon. Sip brute force attacks escalate over halloween weekend. http:\/\/www.stuartsheldon.org\/blog\/2010\/11\/sip-brute-force-attacks-escalate-over-halloween-weekend\/ Nov 1 2010."},{"key":"e_1_3_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920285"},{"key":"e_1_3_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2011.2173486"},{"key":"e_1_3_2_2_56_1","volume-title":"Proceedings of the 31th Annual IEEE Conference on Computer Communications (INFOCOM'12)","author":"Shin S.","year":"2012"},{"key":"e_1_3_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.5555\/647253.720288"},{"key":"e_1_3_2_2_58_1","unstructured":"J. Stewart. Protocols and encryption of the storm botnet. http:\/\/www.blackhat.com\/presentations\/ bh-usa-08\/Stewart\/BH_US_08_Stewart_ Protocols_of_the_Storm.pdf. 2008.  J. Stewart. Protocols and encryption of the storm botnet. http:\/\/www.blackhat.com\/presentations\/ bh-usa-08\/Stewart\/BH_US_08_Stewart_ Protocols_of_the_Storm.pdf. 2008."},{"key":"e_1_3_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653738"},{"key":"e_1_3_2_2_60_1","unstructured":"University of Oregon. University of Oregon Route Views project. http:\/\/www.routeviews.org.  University of Oregon. University of Oregon Route Views project. http:\/\/www.routeviews.org."},{"key":"e_1_3_2_2_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/1402958.1402979"},{"key":"e_1_3_2_2_62_1","volume-title":"Fourth Workshop on Hot Topics in Networks (HotNets IV)","author":"Yegneswaran V.","year":"2005"},{"key":"e_1_3_2_2_63_1","unstructured":"M. Zalewski. p0f v3. http:\/\/lcamtuf.coredump.cx\/p0f3\/ 2012.  M. Zalewski. p0f v3. http:\/\/lcamtuf.coredump.cx\/p0f3\/ 2012."},{"key":"e_1_3_2_2_64_1","unstructured":"L. Zeltser. Targeting VoIP: Increase in SIP Connections on UDP port 5060. http:\/\/isc.sans.edu\/diary.html?storyid=9193 July 2010.  L. Zeltser. Targeting VoIP: Increase in SIP Connections on UDP port 5060. http:\/\/isc.sans.edu\/diary.html?storyid=9193 July 2010."},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948136"}],"event":{"name":"IMC '12: Internet Measurement Conference","location":"Boston Massachusetts USA","acronym":"IMC '12","sponsor":["SIGMETRICS ACM Special Interest Group on Measurement and Evaluation","SIGCOMM ACM Special Interest Group on Data Communication","USENIX Assoc USENIX Assoc"]},"container-title":["Proceedings of the 2012 Internet Measurement Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2398776.2398778","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2398776.2398778","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T08:18:47Z","timestamp":1750234727000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2398776.2398778"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2012,11,14]]},"references-count":65,"alternative-id":["10.1145\/2398776.2398778","10.1145\/2398776"],"URL":"https:\/\/doi.org\/10.1145\/2398776.2398778","relation":{},"subject":[],"published":{"date-parts":[[2012,11,14]]},"assertion":[{"value":"2012-11-14","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}