×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Release Tool That Can Scan the Entire Internet In Under an Hour

samzenpus posted about 8 months ago | from the scan-me dept.

The Internet 97

dstates writes "A team of researchers at the University of Michigan has released Zmap, a tool that allows an ordinary server to scan every address on the Internet in just 45 minutes. This is a task that used to take months, but now is accessible to anyone with a fast internet connection. In their announcement Friday , at the Usenix security conference in Washington they provide interesting examples tracking HTTPS deployment over time, the effects of Hurricane Sandy on Internet infrastructure, but also rapid identification of vulnerable hosts for security exploits. A Washington Post Blog discussing the work shows examples of the rate with which of computers on the Internet have been patched to fix Universal Plug and Play, 'Debian weak key' and 'factorable RSA keys' vulnerabilities. Unfortunately, in each case it takes years to deploy patches and in the case of UPnP devices, they found 2.56 million (16.7 percent) devices on the Internet had not yet upgraded years after the vulnerability had been described."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

97 comments

But it still can't find my GLASSES (1, Insightful)

For a Free Internet (1594621) | about 8 months ago | (#44606685)

`I am the bacillus! Or not? Slashdort, I salute radishes and other fruits, in knock!

Re:But it still can't find my GLASSES (-1)

Anonymous Coward | about 8 months ago | (#44606865)

Hey I like the photo in the article. Complete with the Asian woman with small (of course) yet somehow saggy tits!

No really they're down to her waist. You know you checked this out and you know I am right.

Re:But it still can't find my GLASSES (1)

HiThere (15173) | about 8 months ago | (#44609375)

As first posts go, that's marvellously creative. Totally unintelligible, but still marvellously creative.

Re:But it still can't find my GLASSES (2)

Motard (1553251) | about 8 months ago | (#44610735)

I think this is the first time I've noticed a post moderated -1, Insightful.

doesn't add up (3, Interesting)

Anonymous Coward | about 8 months ago | (#44606709)

> 2.56 million (16.7 percent) devices on the Internet had not yet upgraded years after the vulnerability had been described."

Something doesn't add up here. Is TFS saying that there are only 15 million devices on the internet? I'm pretty sure the number is bigger than that.

Re: doesn't add up (1)

Anonymous Coward | about 8 months ago | (#44606747)

No, it's saying there's 15.7 million devices exposing UPNP, out of which 16.7% are vulnerable.

Re:doesn't add up (2)

fuzzyfuzzyfungus (1223518) | about 8 months ago | (#44606749)

The sentence is a bit ambiguous; but it could be read to mean that there are ~15 million UPnP devices (or even ~15 million UPnP devices that started with the vulnerability for which the patch was available) on the public internet. That would seem slightly more plausible; though the sentence itself isn't very clear.

Re:doesn't add up (5, Informative)

Anonymous Coward | about 8 months ago | (#44606759)

TFS should have just quoted the entire sentence then; from TFA: "Out of 15.7 UPnP devices, they found 2.56 million (16.7 percent) had not yet upgraded."

Re:doesn't add up (1)

Anonymous Coward | about 8 months ago | (#44606915)

Exactly... Christ forbid that people actually read the article before they start to pick apart a bad summary.

But then we are living in a generation that thinks they can really understand complex weather patterns and climatology after watching a two hour (more like 1.4 hours after commercials) TV program that is hosted by someone who doesn't have a hard science degree, Al Gore.

All hail the new age of enlightenment!

Re:doesn't add up (0)

Anonymous Coward | about 8 months ago | (#44607963)

TFS should have just quoted the entire sentence then; from TFA: "Out of 15.7 UPnP devices, they found 2.56 million (16.7 percent) had not yet upgraded."

What does .7 UPnP device look like?

Re:doesn't add up (0)

Anonymous Coward | about 8 months ago | (#44612085)

Make .7!
UPnP yours!

Re:doesn't add up (5, Funny)

Anonymous Coward | about 8 months ago | (#44606763)

That's how they're able to scan it all in just 45 minutes, they are using a much smaller internet. Perhaps this tool uses some kind of temporal protocol that allows it to communicate with the internet of 25 years ago.

Re:doesn't add up (0)

Anonymous Coward | about 8 months ago | (#44609579)

They really should do that as today scanning the whole Internet leads to infinite demands of compensation, punishment and behaviour adjusting prison sentences from every country of the world.

Re:doesn't add up (0)

Bogtha (906264) | about 8 months ago | (#44607207)

I would expect from the context of the rest of the sentence, that it's 15m devices on the Internet with UPnP.

Re:doesn't add up (0)

Anonymous Coward | about 8 months ago | (#44608417)

"Out of 15.7 UPnP devices, they found 2.56 million (16.7 percent) had not yet upgraded."
From TFA

Re:doesn't add up (0)

Anonymous Coward | about 8 months ago | (#44608449)

Even the WP doesn't use any form of proofreading anymore.

"What are you people - on DOPE?" - Mr. Hand (-1)

Anonymous Coward | about 8 months ago | (#44606713)

Uno, dos, one, two, tres, quatro
Matty told Hatty about a thing she saw.
Had two big horns and a wooly jaw.
Wooly bully, wooly bully.
Wooly bully, wooly bully, wooly bully.
Hatty told Matty, "Let's don't take no chance.
Let's not be L-seven, come and learn to dance."
Wooly bully, wooly bully
Wooly bully, wooly bully, wooly bully.
Matty told Hatty, "That's the thing to do.
Get you someone really to pull the wool with you."
Wooly bully, wooly bully.
Wooly bully, wooly bully, wooly bully.

Re:"What are you people - on DOPE?" - Mr. Hand (1)

Anonymous Coward | about 8 months ago | (#44606791)

good lord let this be command and control for something.

Preemptive strike (-1)

Anonymous Coward | about 8 months ago | (#44606753)

With these quiet snow machines they could make a preemptive strike on the US. Where is Sarah Palin to crush this when you need her?

They must mean the IPv4 internet (4, Informative)

mysticalreaper (93971) | about 8 months ago | (#44606761)

Sure, scanning 4 billion addresses in a hour sounds like a lot of data, but conceivable with today's high-speed computers and tech.

But 3.4 x 10^29 billion addresses, as contained in IPv6? Not the same feasibility at all.

Re:They must mean the IPv4 internet (-1)

Anonymous Coward | about 8 months ago | (#44606861)

(Score: -1 Smartass)

The internet is running on IPv4. Name ONE Service (IPv6 Testing Sites do not count) that's not reachable over IPv4, i dare ya.

Re:They must mean the IPv4 internet (1)

cdwiegand (2267) | about 8 months ago | (#44609037)

No one's stupid enough to only run IPv6, but you will find plenty of dual stack servers - like Comcast's email servers (run dig comcast.net MX to see what I mean).

Re:They must mean the IPv4 internet (1)

Anonymous Coward | about 8 months ago | (#44606885)

Actually, no it's not. With 4 billion addresses: (2^32-1)/60/60 = ~1193046.5 addresses per second. Considering there are only 2^16-1 ports on your system. Of which a few 100s or 1000s are taken by internal handles. I don't see how it's possible on any "ordinary server".

Re:They must mean the IPv4 internet (1)

Muad'Dave (255648) | about 8 months ago | (#44606921)

UDP? A single UDP port on my local box can send UDP packets to any host/port on the internet.

Re:They must mean the IPv4 internet (0)

Anonymous Coward | about 8 months ago | (#44607023)

It sure can. But this is designed for surveys. Ports are a limitation now.

Re:They must mean the IPv4 internet (1)

rubycodez (864176) | about 8 months ago | (#44607791)

no they aren't, I can make as many addresses as I want for my machine with certain techniques, and each can have 65K ports

Re:They must mean the IPv4 internet (1)

Dagger2 (1177377) | about 8 months ago | (#44607983)

No, they aren't. You can uniquely identify TCP/IP flows using the combination of source IP/port, destination IP/port and the protocol. In other words, you don't need to create a new local port for each probe; you can just look at the address/port the return packet comes from.

Re:They must mean the IPv4 internet (4, Informative)

Bacon Bits (926911) | about 8 months ago | (#44607903)

I don't think ports are a limitation. As is common with IPv6, I don't think people appreciate the difference in scale.

The header alone for IPv6 is 40 bytes. IPv6 is 2^128 addresses. 40 * 2^128 / 2^80 = 40 * 2^48 = 11,258,999,068,426,240 YiB (Yobibytes). Just for header data. Even if you use some kind of magic multicasting magic to send the packets, you've still got to get that much header data back. At a transfer speed of 1 Yibps (yebibit per second), it would take 2.8 billion years to transfer all those packets. Then you have to store that data. Just storing every possible IPv6 address as a 128 bit number would take at least 4,503,599,627,370,496 YiB.

Nobody has pipes that fat. Nobody has disks that big.

Compare that to IPv4:
The header is 20-24 bytes. IPv4 is 2^32 addresses. 20 * 2^32 / 2^30 = 80 GiB. That's a completely reasonable amount of data to push in 45 minutes or to store on disk.

Re:They must mean the IPv4 internet (1)

CODiNE (27417) | about 8 months ago | (#44609599)

How about if you were scanning for a particular vulnerability and saved only 1 bit per address?

That would be 2^48 / 8 bytes?
2 ^ 48 / 2 = 2 ^ 47
2 ^ 47 / 2 = 2 ^ 46
2 ^ 46 / 2 = 2 ^ 45 = 35TB?

Doable.
(Note I don't know what the / 2 ^ 80 step was all about so this might be waaaaay off)

Re:They must mean the IPv4 internet (0)

Anonymous Coward | about 8 months ago | (#44610907)

and to cut it down even more, the BGP IPv6 table will instruct you which IPv6 networks to scan maybe less than 0.001% of total unicast address space has been allocated. So by using sparse extents you only need to store 0.001% of 35TB.

Sorry this is AC as /. seems to have forgotten my login cookie.

Re:They must mean the IPv4 internet (1)

bbn (172659) | about 8 months ago | (#44612089)

There are actually 2^128 possible IPv6 addresses. Ok, then you can cut it down by looking at BGP etc as proposed. But consider that the minimum IPv6 network every user gets is a /64 = every user has 2^64 addresses on his home network, just scanning one single user is not feasible. Not to even think of scanning the entire internet.

You can split an IPv6 address into blocks. The first 32 bits tells you what ISP. This is the part where the BGP trick can help. The next 32 bits is the network number. And the remaining 64 bits known as the interface identifier are more or less random assigned by the computers.

You can assume that the user router will respond to the all zero interface identifier. It would therefore be feasible to scan the routers. Every single ISP would take as long as scanning the entire IPv4 internet. But that means they could do it in 45 minutes apparently (longer for bigger ISPs with more /32s). Of course the routers should be configured to ignore anything from outside, but so should the IPv4 routers.

But actually hitting peoples computers, printers and so on, even assuming no firewalls, is simply not possible. It is not even the bandwidth of the attacker that limits you, but the bandwidth of the target user. How long would it take to transfer 2^64 packets down the average users crappy DSL?

On top of that you get privacy extension. This is a system where your computer changes address at random at regular intervals (at least once a day). If you did spend millions of years to do a scan, you would very likely never find a working address because the targets are moving.

Re:They must mean the IPv4 internet (1)

DMUTPeregrine (612791) | about 8 months ago | (#44614669)

Many current home routers assign DHCP as follows:
Router is 192.168.0.1
DHCP devices are .2, .3, etc, assigned sequentially. Some start at 100.

So you can scan the first few addresses, and if you don't get a hit you move on to the next /64. It's simpler to code your DHCP server to assign addresses sequentially than randomly, so it will get done that way to save money.

Re: They must mean the IPv4 internet (2)

bbn (172659) | about 8 months ago | (#44614869)

DHCP is not used on home routers with ipv6. Your devices pick random addresses using privacy extension and duplicate address detection.

Re:They must mean the IPv4 internet (1)

rubycodez (864176) | about 8 months ago | (#44607783)

you aren't thinking fourth dimensionally, Marty.

Suppose, for example, my server had 128 virtual IP addresses its single interface.....

Re:They must mean the IPv4 internet (0)

Anonymous Coward | about 8 months ago | (#44610595)

simple: ports are per destination-origin pair

straight from the PDF (3, Interesting)

schneidafunk (795759) | about 8 months ago | (#44606935)

"an open source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage- With Zmap, an Internet- wide TCP SYN s can on port 443 is as easy as: $ zmap – p 443 – o results.txt
34,132,693 listening hosts (took 44m12s)"

Re:straight from the PDF (2)

NatasRevol (731260) | about 8 months ago | (#44607283)

No wonder the NSAs job is so easy.

There's only 34 million https servers in the world!

(not sure what the sarcasm tag is, so yes, this is sarcasm)

Re:straight from the PDF (1)

Raenex (947668) | about 8 months ago | (#44610445)

There's only 34 million https servers in the world!

(not sure what the sarcasm tag is, so yes, this is sarcasm)

That might be about right. How many do you think there are?

Re:They must mean the IPv4 internet (0)

Anonymous Coward | about 8 months ago | (#44607061)

Good thing IPv6 will never be widely deployed then, lol!

I for one welcome our CG-NAT / Great Western Firewall overlords!

Re:They must mean the IPv4 internet (2)

McGruber (1417641) | about 8 months ago | (#44607437)

Yes, they only are scanning the IPv4 internet, per page 7 of the PDF linked to in the slashdot article:

Introducing ZMap, an open source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage

Uninformed / Inexperienced (2, Interesting)

Anonymous Coward | about 8 months ago | (#44606795)

Pretty sure the problem with UPnP in consumer routers is simply that consumers generally just don't know about the issue. Even if they did know most will have no idea where to start looking to upgrade their devices firmware (if an update is even available). Most consumers walked into the store and the sales rep told them they could connect the to the magic box. The same reason (to this day) that users are running with the default device username/password (admin:admin anyone?) and with the shared key that was preconfigured with the box when they bought it 5 years ago..

Re:Uninformed / Inexperienced (1)

Anonymous Coward | about 8 months ago | (#44607187)

True. I was just looking at the WiFi spectrum at one end of my house yesterday and out of a total of 12 access points (seen at one time; there are more than that with weak enough signals that they appear and disappear from the analyzer), only 4 of them had non-default names. This was the 2.4 Ghz spectrum. Two of the people using non-default were also idiots. One was using channel 3, the other was using channel 7. The rest were correctly using channels 1, 6, and 11. (The three non-overlapping channels available in the USA).

Re:Uninformed / Inexperienced (0)

Anonymous Coward | about 8 months ago | (#44610859)

Channel 3 is not necessarily "idiotic". If 1 and 6 are both taken, you get less noise on 3 than you get on 1 or 6. Because the overlapping is partial. If you take 1 or 6, the overlapping will be total. So 3 may be fine.

Of course, the 1,6,11 setup is old fashioned anyway. These days you go for the four non-overlapping 1,5,9,13

"the entire Internet" (1)

Joining Yet Again (2992179) | about 8 months ago | (#44606797)

Oh, do they mean the IPv4 Internet?

tl;dr If you blindly and extremely unneighbourly fire off several packets at every single public IPv4 address in non-sequential order to saturate a fat network pipe, it doesn't take much time to get a lot of shit back.

And of course if you have a not completely crap IDS then anything probing your organisation's entire public space within an hour is going to be detected.

Why are they comparing with nmap? That's not designed for probing the entire Internet.

Re:"the entire Internet" (0)

Anonymous Coward | about 8 months ago | (#44606879)

Yep, but thats the PUBLIC space. Nowadays, its the PRIVATE stuff people really get keyed up about, like that Snowdon fella.

Seriously, the israelis have it set up so they copy EVERYONES PRIVATE SHIT in mere NANOSECONDS, at least according to Robert Maxwell, Sergey Brin, Zuckerburger, and the rest of the criminal "Leked" crack-ho`s.......

Re:"the entire Internet" (0)

Anonymous Coward | about 8 months ago | (#44608089)

When you get near a coherent thought that wasn't made out of a combination sleep deprivation, high-grade stimulants, and racial hatred-fueled paranoia, let us know.

Internet Census 2012 (0)

Anonymous Coward | about 8 months ago | (#44606843)

Wait, so for Internet Census 2013 the researchers won't have to resort to making a botnet out of unsecured Linux boxes to speed up the scanning? Drat, the Carna Botnet was so cool :(

NSA maps (0)

gmuslera (3436) | about 8 months ago | (#44606863)

Probably they run a lot deeper, but a world map with all those vulnerable systems everywhere probably is in the hand of NSA, any major government intelligence services, and all major hacking groups already. This kind of tool could work as temperature map for the public to know what kind of things avoid that are vulnerable in big numbers (something like OWASP top ten [owasp.org] ), or how vulnerable is a region.

And between the things people must worry about are cameras [slashdot.org] , that are accessible from internet, with present or future vulnerabilities.

Re:NSA maps (0)

Anonymous Coward | about 8 months ago | (#44606963)

Huh? I thought the NSA was really in the employ of the israeli network, I mean, they wired up Capitol Hill and then created the Chinese iphone factory diversion, didn`t they?

Do the math (-1)

Anonymous Coward | about 8 months ago | (#44606923)

Then STFU. Ordinary server? Yeah, right.

Slashdotting the Internet (5, Funny)

Bucc5062 (856482) | about 8 months ago | (#44606925)

I can see it now, a multitude of /.ers downloading, installing then running the program, playing with probe settings to the point where the whole Internet (yes, more then just Web) is brought down by the /. effect

Re:Slashdotting the Internet (2)

JaredOfEuropa (526365) | about 8 months ago | (#44606975)

Still better than how I first read the headline: "Researchers Release Tool That Can Sue the Entire Internet In Under an Hour"

Re:Slashdotting the Internet (0)

Anonymous Coward | about 8 months ago | (#44607173)

Sounds like a a battle royale, with guessed appearances by sum dum ACTA and a sheister called SOPA.
The upload speed and coke being snorted in the police-tech-crimes sector exceeds the downlow bitcoin exchange rate of most ppl sharing some tunes n vids....
and what the fork is "Leked" anyway?

Re:Slashdotting the Internet (0)

Anonymous Coward | about 8 months ago | (#44607383)

You had me at guessed appearances.

Re:Slashdotting the Internet (0)

Anonymous Coward | about 8 months ago | (#44607021)

Except slashdotters will probably just slashdot themselves as ISPs cut their uplink for (poorly-written-)bot-like storm of port scanning.

Re:Slashdotting the Internet (0)

Anonymous Coward | about 8 months ago | (#44607143)

Or a million strong botnet doing the same?

Re:Slashdotting the Internet (1)

NatasRevol (731260) | about 8 months ago | (#44607301)

It'd be funnier if everyone just scanned slashdot, and slashdotted slashdot.

Re: Slashdotting the Internet (0)

Anonymous Coward | about 8 months ago | (#44607545)

Yo dawg. I heard you like....

Re:Slashdotting the Internet (2)

AYeomans (322504) | about 8 months ago | (#44607635)

Maybe it will, especially if people have high bandwidth connections. But I suspect most people will be on ADSL or cable.

Now the default zmap syn scan uploads 432 bits (54 bytes) per packet, that's 14 bytes Ethernet frame, 20 bytes IP and 20 bytes TCP. Which means the full 2^32 IPv4 address range needs 1.855 Terabits upload. That's 0.51 hours at 1 Gbit/sec, or 5.15 hours at 100 Mbit/sec, or 51.5 hours at 10 Mbit/sec, or 515 hours (21.5 days) at a more common ADSL uplink of 1 Mbit/sec. Remember the A in ADSL is for Asymmetric - uplinks are much slower than downlinks.

(These are not quite right - times could be faster if large parts of the address space are black-listed, also there's no need to transmit all the Ethernet header on the uplink, the actual number of bits depends on connection technology.)

easy (0)

Anonymous Coward | about 8 months ago | (#44606947)

Cray MAE west first and then it's quite easy to scan the whole fucking thing.

DDOS anyone? (0)

Anonymous Coward | about 8 months ago | (#44607001)

If NMAP scan command are allowed, how soon until someone spoofs the source to DDOS any host they want with responses?

Group theory key to invention. (0)

Anonymous Coward | about 8 months ago | (#44607219)

What makes this possible is the use of group number theory and prime numbers, whereby the program uses a specific algorithm that is guaranteed to visit every IPv4 number once except for 0.0.0.0. This, along with special seeding of various packet fields, allows them to not need to worry about keeping state as there is no need to care about which host you've visited: the special seeds in the header fields tell you that and the maths prevents you from going anywhere twice.

Nice!

BEWARE (0)

Anonymous Coward | about 8 months ago | (#44607227)

Something is not what it seems. There is no way one computer can conduct such a scan all by itself, even if all the other devices were on and all had unlimited bandwidth. the response time to a simple ping from each device makes it impossible to scan the entire range in that time span.

No, this has to be a distributed network, and by accessing the software, you are probably agreeing to be part of their slave network.

I wouldn't trust it if my life depended on it.

Re:BEWARE (0)

Anonymous Coward | about 8 months ago | (#44607363)

Um, it's open source.

Re:BEWARE (1)

jones_supa (887896) | about 8 months ago | (#44607981)

Something is not what it seems. There is no way one computer can conduct such a scan all by itself, even if all the other devices were on and all had unlimited bandwidth. the response time to a simple ping from each device makes it impossible to scan the entire range in that time span.

No, this has to be a distributed network, and by accessing the software, you are probably agreeing to be part of their slave network.

I wouldn't trust it if my life depended on it.

"Slave network". :D Anyway, it works because you can scan multiple hosts in parallel. You don't have to wait for each one of them to respond (and many of them won't anyway). A simple ping is a small packet and you can fire out them quite fast with a gigabit pipe.

Queue really bad Charter joke. (1)

mitcheli (894743) | about 8 months ago | (#44607265)

You have reached the end of the Internet... But in all honestly, I wonder how long it will take for an iptable rule to come out and auto drop packets seen from the scanner? Since there is some TCP manipulation involved, I sense that it won't be to hard.

Re:Queue really bad Charter joke. (1)

Victor_0x53h (1164907) | about 8 months ago | (#44610453)

I was interested to see what TCP manipulation you were referring to, so I read into the abstract a little. I've never fully dug into the details of how nmap works, but it seems nmap and zmap use nearly identical techniques: sending out packets using a raw socket which bypasses the kernel, then libpcap to capture results. The novelty here is that zmap is written specifically to "scan the internet" while nmap is more of a multi-purpose utility and just isn't as efficient at this particular function. Additionally zmap seems to bypass the kernel even when performing a SYN scan which nmap does not do (there might be an option - I'm not a guru).

So to answer your question, because abstract specifically mentions zmap uses a SYN scan, these probes can't really be blocked if you're running a legitimate service on the port being probed. If you were to use zmap with some other scan that takes advantage protocol (e.g. FIN scan), any iptables firewall is probably already blocking it.

Re:Queue really bad Charter joke. (1)

mitcheli (894743) | about 8 months ago | (#44651427)

That's not exactly true. You might get a single scan or two, but large services who have farms can easily have a firewall that interconnects an array of different IP's. When a syn is left hanging an IPS can easily craft a rule to block further connections from that address. So you'll get a few replies, but you'll miss the rest. Likewise, there are services out there (ISC?) that track such activities and site block abusive IP's based on netflows. If someone employed this scanner, they'll likely hit the radar. But a good question is what happens when a few hundred thousand people hit this, or folks who come off of major proxy servers that are normally whitelisted... Oh yes, much interestingness can develop from this tool...

NOPE (0)

Anonymous Coward | about 8 months ago | (#44607403)

Sorry, it does not work. Even if there is unlimited bandwidth for the server AND the targets being scanned, the number miliseconds it would take to respond will far exceed that time period by nearly two months, and that is if everything responds back in 1 ms

Only a distributed network could do that, and they have indicated it's not.

Maybe they would also like to claim the server runs on cold fusion.

Re:NOPE (2)

Dagger2 (1177377) | about 8 months ago | (#44608043)

You're assuming they wait for one host to respond before starting to probe the next host. That is not a reasonable assumption.

Re:NOPE (0)

Anonymous Coward | about 8 months ago | (#44609775)

You're assuming they wait for one host to respond before starting to probe the next host. That is not a reasonable assumption.

And that is a mild understatement. ;)

In fact, it's such a ludicrous understatement that one may reasonably conclude you've been trolled. (YHL; HAND)

Re:NOPE (1)

Anubis IV (1279820) | about 8 months ago | (#44608691)

You clearly have no idea what you're talking about.

During grad school, I worked on analyzing the data that my research group had collected during what was at the time the largest web crawl in academia (around 4.6B pages; and mind you, this was an actual crawl, rather than a simple scan, so we were pulling down entire pages) that was gathered over the course of about 40 days, and that was all done from a single server (if memory serves, it was a 2.7GHz Xeon with 16GB RAM, so not all that impressive by today's standards). You're assuming synchronous communication with blocking requests. Instead, most tools like this rely on a massively multithreaded architecture with thousands of asynchronous lines of communication open at any given time, none of which are blocking each other most of the time. You don't need a distributed network to do that.

You're right to assume that most requests don't come back in 1ms. In fact, some webmasters had configured their servers in...interesting... ways. Despite abiding by robots.txt and using techniques to avoid slamming servers with requests, we still got angry e-mails from webmasters who saw our user agent in their logs (sometimes even after just a single page load!), and there were even some webmasters that reconfigured their servers to take hours or days to respond once they identified our user agent as a bot, even though we made it clear who we were, what our purpose was, where more information could be found, and how they could simply block us using robots.txt or simply ask us to put them on our blacklist so that we stopped crawling them.

And yet, despite all of those issues (and many more), we still managed to crawl quite a bit just fine. Our biggest bottleneck was bandwidth, honestly, but if you're just scanning rather than crawling, that issue is significantly diminished, since you're grabbing very little.

scanrand tool was 7 years before (5, Informative)

Anonymous Coward | about 8 months ago | (#44607447)

Please look into "scanrand" software. I used it with nmap combination to scan entire Internet range for under few hours, about 7 YEARS ago.

  The Paketto Keiretsu is a collection of tools that use new and unusual
    strategies for manipulating TCP/IP networks. scanrand is said to be
    faster than nmap and more useful in some scenarios.
    .
    This package includes:
        * scanrand, a very fast port, host, and network trace scanner
        * minewt, a user space NAT/MAT (MAC Address Translation) gateway
        * linkcat(lc), that provides direct access to the network (Level 2)
        * paratrace, a "traceroute"-like tool using existing TCP connections
        * phentropy, that plots a large data source onto a 3D matrix

Really? Why not just query the NSA directly? (0)

Anonymous Coward | about 8 months ago | (#44607715)

I've been using the following command and it's worked great in the past: mysql -h nsa.gov.org -u nsaadmin -p 'SELECT * FROM internet WHERE port = "23" AND state = "open"'

-- stoops

Re:Really? Why not just query the NSA directly? (1)

dkleinsc (563838) | about 8 months ago | (#44607823)

Why would you limit yourself to ssh, when there's so many useful unpatched exploits for so many other server applications? Among other things, you're missing out on all the easily exploitable Windows ME boxen out there.

Re:Really? Why not just query the NSA directly? (1)

stderr_dk (902007) | about 8 months ago | (#44608185)

Why would you limit yourself to ssh, when there's so many useful unpatched exploits for so many other server applications? Among other things, you're missing out on all the easily exploitable Windows ME boxen out there.

ssh defaults to port 22. Port 23 is usually telnet.

Re:Really? Why not just query the NSA directly? (0)

Anonymous Coward | about 8 months ago | (#44610109)

boxen

Boxes, not boxen...

Re:Really? Why not just query the NSA directly? (0)

Anonymous Coward | about 8 months ago | (#44608259)

I've been using the following command and it's worked great in the past: mysql -h nsa.gov.org -u nsaadmin -p 'SELECT * FROM internet WHERE port = "23" AND state = "open"'

-- stoops

Why would NSA be using a .org name, hosted at Amazon, when they got their own nsa.gov domain and their own hosting centers?

1,400,000 PPS!?? (2)

sl4shd0rk (755837) | about 8 months ago | (#44608063)

A little overly sensational. PC hardware is no way going to push 1.4M PPS*. I don't know the exact figures but asking a cable/DSL modem to push that many packets seems ludicrous. Good luck "scanning the entire" internet from your PC.

[*] - https://zmap.io/zmap-talk-sec13.pdf [zmap.io]

Re:1,400,000 PPS!?? (0)

Anonymous Coward | about 8 months ago | (#44612757)

especially when you consider that in order to reach the findings in their paper, they're going to need a second scanner-- id est 'identified 86% of tor hidden services' ... and you did this with a half-open/syn-scanner only how? It doesn't maintain state, looks like it potentially just scans random ip's with potential overlaps and can only determine if they got an ACK back if its received during the window. It's potentially legit (sans PC/DSL type limitations as you noted) but, eh, a bit over sensationalized.

That's awesome! (1)

Kleen13 (1006327) | about 8 months ago | (#44608429)

Cause I can't find my Geocities page. It seems to have disappeared and I can't find it anywhere...

Not entire IPv6 space! (1)

Anonymous Coward | about 8 months ago | (#44609079)

Perhaps they can scan the entire IPv4 address space, but certainly not IPv6. IPv6 has more than 7.9×10^28 TIMES as many IP addresses as IPv4.

NAT (1)

nbritton (823086) | about 8 months ago | (#44610243)

I presume this doesn't work with NAT, so the "scan the entire Internet" is a bit misleading. That said, nice job. What would happen of you ran the scanner on a million systems all at once?

You meant to say ... (1)

YoungManKlaus (2773165) | about 8 months ago | (#44611173)

a) ... it can do a port-scan, not a content-scan
b) ... in IPv4 space
c) ... when supplied with unspecified bandwidth

Paketto Keiretsu (0)

Anonymous Coward | about 8 months ago | (#44612377)

It looks like re-implemented 10-year old Paketto Keiretsu. Asynchronous SYN probes, using syn cookies to store cryptographic markers and thus eliminating the need to track connections.

So these must be the clowns ... (1)

sk999 (846068) | about 8 months ago | (#44612593)

... who are behind the machines hosted at umich.edu which have been attacking port 443 on my router with bogus requests and clogging my log files with messages like "peer did not return a certificate".

Go away. Just go away.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...