The 23rd USENIX Security conference 8/20 – 8/22 2014 discussed many subjects
There is a specific paper about “An Internet-Wide View of Internet-Wide Scanning”
by Zakir Durumeric University of Michigan zakir@umich.edu,
Michael Bailey University of Michigan mibailey@umich.edu
and, J. Alex Halderman University of Michigan jhalderm@umich.edu
So that you do not have to fish the 13 pages out of the 1000 page main document we have created the internetwidescanning pdf file.
Most interesting is work on detecting how many scans there were in the Internet on January 2014.
10.8 million scans from 1.76 million hosts
4.5 million (41.7%)scans attributable to the conficker worm TCP-SYN port 445
Only 17,918 scans targeted more than 1% of the address space. of which 614 target more than 50% of the address space.
They concluded: “In other words, while there is a relatively small number of large scans (0.28%), nearly 80% of scan traffic is generated by these scans.”
There were 5.4 Trillion SYN (Netbios TCP/445) probes.
All of this information makes very clear the people scanning your computers are trying to find specific vulnerabilities within a specific address space.
Whether it is an Internet wide scan or a localized scan it is important to realize the amount of activity, and to understand it is only a matter of time when any vulnerability is found.
Zmap is a scanner that maps the whole Internet (and also happens to have been started by the same team of computer scientists as this paper) they can be reached at zmap-team@umich.edu.