{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,21]],"date-time":"2025-11-21T15:51:27Z","timestamp":1763740287329,"version":"3.45.0"},"publisher-location":"New York, NY, USA","reference-count":38,"publisher":"ACM","funder":[{"name":"European Commission","award":["Horizon Europe SafeHorizon 101168562 and RECITALS 101168490"],"award-info":[{"award-number":["Horizon Europe SafeHorizon 101168562 and RECITALS 101168490"]}]},{"name":"Dutch Research Council","award":["ADAPTIve"],"award-info":[{"award-number":["ADAPTIve"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,10,28]]},"DOI":"10.1145\/3730567.3764498","type":"proceedings-article","created":{"date-parts":[[2025,11,21]],"date-time":"2025-11-21T15:22:38Z","timestamp":1763738558000},"page":"928-936","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Have you SYN What I See? Analyzing TCP SYN Payloads in the Wild"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-0631-055X","authenticated-orcid":false,"given":"Dario","family":"Ferrero","sequence":"first","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4804-0311","authenticated-orcid":false,"given":"Enrico","family":"Bassetti","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands and European Space Agency, Noordwijk, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-7990-7802","authenticated-orcid":false,"given":"Harm","family":"Griffioen","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4127-3617","authenticated-orcid":false,"given":"Georgios","family":"Smaragdakis","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,21]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Understanding the Mirai Botnet. In 26th USENIX Security Symposium (USENIX Security 17)","author":"Antonakakis Manos","year":"2017","unstructured":"Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In 26th USENIX Security Symposium (USENIX Security 17). 1093-1110. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/antonakakis"},{"key":"e_1_3_2_1_2_1","unstructured":"Jacob Appelbaum. 2012. Technical Analysis of the Ultrasurf Proxying Software. https:\/\/blog.torproject.org\/blog\/ultrasurf-definitive-review"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815702"},{"key":"e_1_3_2_1_4_1","first-page":"3345","volume-title":"Weaponizing Middleboxes for TCP Reflected Amplification. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Bock Kevin","year":"2021","unstructured":"Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow, and Dave Levin. 2021. Weaponizing Middleboxes for TCP Reflected Amplification. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3345-3361. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/bock"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363189"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.5555\/2838421.2838451"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","unstructured":"Yuchung Cheng Jerry Chu Sivasankar Radhakrishnan and Arvind Jain. 2014. TCP Fast Open. RFC 7413. doi:10.17487\/RFC7413","DOI":"10.17487\/RFC7413"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","unstructured":"Michelle Cotton Lars Eggert Dr. Joseph D. Touch Magnus Westerlund and Stuart Cheshire. 2011. Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry. RFC 6335. doi:10.17487\/RFC6335","DOI":"10.17487\/RFC6335"},{"key":"e_1_3_2_1_9_1","unstructured":"CVE Program. 2025. Common Vulnerabilities and Exposures (CVE). https:\/\/www.cve.org"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2016.2559218"},{"key":"e_1_3_2_1_11_1","volume-title":"Proceedings of the ACM SIGCOMM Conference on Internet Measurement.","author":"Dainotti Alberto","unstructured":"Alberto Dainotti, Alistair King, kc Claffy, Ferdinando Papale, and Antonio Pescap`e. 2012. Analysis of a ''\/0'' stealth scan from a botnet. In Proceedings of the ACM SIGCOMM Conference on Internet Measurement."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068818"},{"key":"e_1_3_2_1_13_1","volume-title":"Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS","author":"Paolo Edoardo Di","year":"2023","unstructured":"Edoardo Di Paolo, Enrico Bassetti, and Angelo Spognardi. 2023. A New Model for Testing IPv6 Fragment Handling. In Proceedings of the 28th European Symposium on Research in Computer Security (ESORICS 2023)."},{"key":"e_1_3_2_1_14_1","volume-title":"Proceedings of the Internet Measurement Conference.","author":"Durumeric Zakir","year":"2024","unstructured":"Zakir Durumeric, David Adrian, Phillip Stephens, Eric Wustrow, and J Alex Halderman. 2024. Ten Years of ZMap. In Proceedings of the Internet Measurement Conference."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","unstructured":"Wesley Eddy. 2022. Transmission Control Protocol (TCP). RFC 9293. doi:10.17487\/RFC9293","DOI":"10.17487\/RFC9293"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS47738.2020.9110444"},{"key":"e_1_3_2_1_17_1","volume-title":"Characterizing Ten Years of Internet Scanning. In ACM Internet Measurement Conference","author":"Griffioen Harm","year":"2024","unstructured":"Harm Griffioen, Georgios Koursiounis, Georgios Smaragdakis, and Christian Doerr. 2024. Have you SYN me? Characterizing Ten Years of Internet Scanning. In ACM Internet Measurement Conference. Madrid, Spain."},{"key":"e_1_3_2_1_18_1","first-page":"465","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Harrity Michael","year":"2022","unstructured":"Michael Harrity, Kevin Bock, Frederick Sell, and Dave Levin. 2022. GET \/out: Automated Discovery of Application-Layer Censorship Evasion Strategies. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 465-483. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/harrity"},{"key":"e_1_3_2_1_19_1","first-page":"431","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Hiesgen Raphael","year":"2022","unstructured":"Raphael Hiesgen, Marcin Nawrocki, Alistair King, Alberto Dainotti, Thomas C. Schmidt, and Matthias W\u00e4hlisch. 2022. Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 431-448. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/hiesgen"},{"key":"e_1_3_2_1_20_1","unstructured":"Internet Assigned Numbers Authority. 2025. Transmission Control Protocol (TCP) Parameters. https:\/\/www.iana.org\/assignments\/tcp-parameters\/tcp-parameters.xhtml Accessed on 2025-08-18."},{"key":"e_1_3_2_1_21_1","unstructured":"Julian Kirsch Christian Grothoff Jacob Appelbaum and Holger Kenn. 2015. TCP Stealth. Internet-Draft draft-kirsch-ietf-tcp-stealth-01. Internet Engineering Task Force. https:\/\/datatracker.ietf.org\/doc\/draft-kirsch-ietf-tcp-stealth\/01\/ Work in Progress."},{"key":"e_1_3_2_1_22_1","volume-title":"Probing the viability of TCP extensions. Google","author":"Langley Adam","year":"2008","unstructured":"Adam Langley. 2008. Probing the viability of TCP extensions. Google, Inc., Tech. Rep (2008)."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3098822.3098842"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.23919\/IFIPNetworking.2019.8816853"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-72582-2_32"},{"key":"e_1_3_2_1_26_1","volume-title":"ACM CoNEXT Student Workshop.","author":"Mandalari Anna","year":"2015","unstructured":"Anna Mandalari, Marcelo Bagnulo, and Andra Lutu. 2015. TCP Fast Open: initial measurements. ACM CoNEXT Student Workshop."},{"key":"e_1_3_2_1_27_1","unstructured":"Maxmind GeoLite2. 2025. GeoIP2 and GeoLite City and Country Databases. https:\/\/www.maxmind.com"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1219056"},{"key":"e_1_3_2_1_29_1","first-page":"46","article-title":"The Spread of the Witty Worm","volume":"2","author":"Moore David","year":"2005","unstructured":"David Moore and Colleen Shannon. 2005. The Spread of the Witty Worm. IEEE Security and Privacy, Vol. 2, 4 (2005), 46-50.","journal-title":"IEEE Security and Privacy"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/637201.637244"},{"key":"e_1_3_2_1_31_1","volume-title":"Waiting for QUIC: On the Opportunities of Passive Measurements to Understand QUIC Deployments. arXiv preprint arXiv:2209.00965","author":"M\u00fccke Jonas","year":"2022","unstructured":"Jonas M\u00fccke, Marcin Nawrocki, Raphael Hiesgen, Patrick Sattler, Johannes Zirngibl, Georg Carle, Thomas C Schmidt, and Matthias W\u00e4hlisch. 2022. Waiting for QUIC: On the Opportunities of Passive Measurements to Understand QUIC Deployments. arXiv preprint arXiv:2209.00965 (2022)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00153"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3543507.3583189"},{"key":"e_1_3_2_1_34_1","first-page":"5989","volume-title":"DScope: A Cloud-Native Internet Telescope. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Pauley Eric","year":"2023","unstructured":"Eric Pauley, Paul Barford, and Patrick McDaniel. 2023. DScope: A Cloud-Native Internet Telescope. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 5989-6006. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/pauley"},{"key":"e_1_3_2_1_35_1","volume-title":"The Top Speed of Flash Worms. In ACM Workshop on Rapid Malcode (WORM).","author":"Staniford Stuart","year":"2004","unstructured":"Stuart Staniford, David Moore, Vern Paxson, and Nicholas Weaver. 2004. The Top Speed of Flash Worms. In ACM Workshop on Rapid Malcode (WORM)."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3603269.3604875"},{"key":"e_1_3_2_1_37_1","unstructured":"The ZMap Project. 2025. ZGrab 2.0: Fast Go Application Scanner. https:\/\/github.com\/zmap\/zgrab2"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1879141.1879149"}],"event":{"name":"IMC '25:ACM Internet Measurement Conference","location":"Madison WI USA","sponsor":["SIGMETRICS ACM Special Interest Group on Measurement and Evaluation","SIGCOMM ACM Special Interest Group on Data Communication"]},"container-title":["Proceedings of the 2025 ACM Internet Measurement Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3730567.3764498","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,21]],"date-time":"2025-11-21T15:22:45Z","timestamp":1763738565000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3730567.3764498"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,28]]},"references-count":38,"alternative-id":["10.1145\/3730567.3764498","10.1145\/3730567"],"URL":"https:\/\/doi.org\/10.1145\/3730567.3764498","relation":{},"subject":[],"published":{"date-parts":[[2025,10,28]]},"assertion":[{"value":"2025-11-21","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}