Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Release Tool That Can Scan the Entire Internet In Under an Hour

Posted by samzenpus on from the scan-me dept.

dstates writes "A team of researchers at the University of Michigan has released Zmap, a tool that allows an ordinary server to scan every address on the Internet in just 45 minutes. This is a task that used to take months, but now is accessible to anyone with a fast internet connection. In their announcement Friday , at the Usenix security conference in Washington they provide interesting examples tracking HTTPS deployment over time, the effects of Hurricane Sandy on Internet infrastructure, but also rapid identification of vulnerable hosts for security exploits. A Washington Post Blog discussing the work shows examples of the rate with which of computers on the Internet have been patched to fix Universal Plug and Play, 'Debian weak key' and 'factorable RSA keys' vulnerabilities. Unfortunately, in each case it takes years to deploy patches and in the case of UPnP devices, they found 2.56 million (16.7 percent) devices on the Internet had not yet upgraded years after the vulnerability had been described."

23 of 97 comments (clear)

  1. doesn't add up by Anonymous Coward · · Score: 3, Interesting

    > 2.56 million (16.7 percent) devices on the Internet had not yet upgraded years after the vulnerability had been described."

    Something doesn't add up here. Is TFS saying that there are only 15 million devices on the internet? I'm pretty sure the number is bigger than that.

    1. Re:doesn't add up by click2005 · · Score: 2

      I'd assume they meant 16.7% of UPnP devices but even then the number seems low.

      --
      I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
    2. Re:doesn't add up by fuzzyfuzzyfungus · · Score: 2

      The sentence is a bit ambiguous; but it could be read to mean that there are ~15 million UPnP devices (or even ~15 million UPnP devices that started with the vulnerability for which the patch was available) on the public internet. That would seem slightly more plausible; though the sentence itself isn't very clear.

    3. Re:doesn't add up by Anonymous Coward · · Score: 5, Informative

      TFS should have just quoted the entire sentence then; from TFA: "Out of 15.7 UPnP devices, they found 2.56 million (16.7 percent) had not yet upgraded."

    4. Re:doesn't add up by Anonymous Coward · · Score: 5, Funny

      That's how they're able to scan it all in just 45 minutes, they are using a much smaller internet. Perhaps this tool uses some kind of temporal protocol that allows it to communicate with the internet of 25 years ago.

  2. They must mean the IPv4 internet by mysticalreaper · · Score: 4, Informative

    Sure, scanning 4 billion addresses in a hour sounds like a lot of data, but conceivable with today's high-speed computers and tech.

    But 3.4 x 10^29 billion addresses, as contained in IPv6? Not the same feasibility at all.

    1. Re:They must mean the IPv4 internet by Dagger2 · · Score: 3, Informative

      http://loopsofzen.co.uk/

    2. Re:They must mean the IPv4 internet by McGruber · · Score: 2

      Yes, they only are scanning the IPv4 internet, per page 7 of the PDF linked to in the slashdot article:

      Introducing ZMap, an open source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage

    3. Re:They must mean the IPv4 internet by Bacon+Bits · · Score: 4, Informative

      I don't think ports are a limitation. As is common with IPv6, I don't think people appreciate the difference in scale.

      The header alone for IPv6 is 40 bytes. IPv6 is 2^128 addresses. 40 * 2^128 / 2^80 = 40 * 2^48 = 11,258,999,068,426,240 YiB (Yobibytes). Just for header data. Even if you use some kind of magic multicasting magic to send the packets, you've still got to get that much header data back. At a transfer speed of 1 Yibps (yebibit per second), it would take 2.8 billion years to transfer all those packets. Then you have to store that data. Just storing every possible IPv6 address as a 128 bit number would take at least 4,503,599,627,370,496 YiB.

      Nobody has pipes that fat. Nobody has disks that big.

      Compare that to IPv4:
      The header is 20-24 bytes. IPv4 is 2^32 addresses. 20 * 2^32 / 2^30 = 80 GiB. That's a completely reasonable amount of data to push in 45 minutes or to store on disk.

      --
      The road to tyranny has always been paved with claims of necessity.
    4. Re: They must mean the IPv4 internet by bbn · · Score: 2

      DHCP is not used on home routers with ipv6. Your devices pick random addresses using privacy extension and duplicate address detection.

  3. Uninformed / Inexperienced by Anonymous Coward · · Score: 2, Interesting

    Pretty sure the problem with UPnP in consumer routers is simply that consumers generally just don't know about the issue. Even if they did know most will have no idea where to start looking to upgrade their devices firmware (if an update is even available). Most consumers walked into the store and the sales rep told them they could connect the to the magic box. The same reason (to this day) that users are running with the default device username/password (admin:admin anyone?) and with the shared key that was preconfigured with the box when they bought it 5 years ago..

  4. Slashdotting the Internet by Bucc5062 · · Score: 5, Funny

    I can see it now, a multitude of /.ers downloading, installing then running the program, playing with probe settings to the point where the whole Internet (yes, more then just Web) is brought down by the /. effect

    --
    Life is a great ride, the vehicle doesn't matter
    1. Re:Slashdotting the Internet by JaredOfEuropa · · Score: 2

      Still better than how I first read the headline: "Researchers Release Tool That Can Sue the Entire Internet In Under an Hour"

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:Slashdotting the Internet by Nerdfest · · Score: 2

      Well, it is time for a new Apple product cycle.

    3. Re:Slashdotting the Internet by AYeomans · · Score: 2

      Maybe it will, especially if people have high bandwidth connections. But I suspect most people will be on ADSL or cable.

      Now the default zmap syn scan uploads 432 bits (54 bytes) per packet, that's 14 bytes Ethernet frame, 20 bytes IP and 20 bytes TCP. Which means the full 2^32 IPv4 address range needs 1.855 Terabits upload. That's 0.51 hours at 1 Gbit/sec, or 5.15 hours at 100 Mbit/sec, or 51.5 hours at 10 Mbit/sec, or 515 hours (21.5 days) at a more common ADSL uplink of 1 Mbit/sec. Remember the A in ADSL is for Asymmetric - uplinks are much slower than downlinks.

      (These are not quite right - times could be faster if large parts of the address space are black-listed, also there's no need to transmit all the Ethernet header on the uplink, the actual number of bits depends on connection technology.)

      --
      Andrew Yeomans
  5. straight from the PDF by schneidafunk · · Score: 3, Interesting

    "an open source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage- With Zmap, an Internet- wide TCP SYN s can on port 443 is as easy as: $ zmap – p 443 – o results.txt
    34,132,693 listening hosts (took 44m12s)"

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:straight from the PDF by NatasRevol · · Score: 2

      No wonder the NSAs job is so easy.

      There's only 34 million https servers in the world!

      (not sure what the sarcasm tag is, so yes, this is sarcasm)

      --
      There are two types of people in the world: Those who crave closure
  6. scanrand tool was 7 years before by Anonymous Coward · · Score: 5, Informative

    Please look into "scanrand" software. I used it with nmap combination to scan entire Internet range for under few hours, about 7 YEARS ago.

      The Paketto Keiretsu is a collection of tools that use new and unusual
        strategies for manipulating TCP/IP networks. scanrand is said to be
        faster than nmap and more useful in some scenarios.
        .
        This package includes:
            * scanrand, a very fast port, host, and network trace scanner
            * minewt, a user space NAT/MAT (MAC Address Translation) gateway
            * linkcat(lc), that provides direct access to the network (Level 2)
            * paratrace, a "traceroute"-like tool using existing TCP connections
            * phentropy, that plots a large data source onto a 3D matrix

    1. Re:scanrand tool was 7 years before by kermidge · · Score: 3, Informative

      re scanrand
      http://www.vulnerabilityassessment.co.uk/scanrand.htm good article, didn't see a date, discuss installation and necessary changes for Fedora Core 1.

      dan kaminsky's site for paketto, which includes scanrand; version 1.1 from 2002 has some tools which look interesting
      http://dankaminsky.com/?s=paketto

  7. Re:NOPE by Ultra64 · · Score: 2

    People who say it can't be done should not interrupt those who are doing it.

  8. Re:NOPE by Dagger2 · · Score: 2

    You're assuming they wait for one host to respond before starting to probe the next host. That is not a reasonable assumption.

  9. 1,400,000 PPS!?? by sl4shd0rk · · Score: 2

    A little overly sensational. PC hardware is no way going to push 1.4M PPS*. I don't know the exact figures but asking a cable/DSL modem to push that many packets seems ludicrous. Good luck "scanning the entire" internet from your PC.

    [*] - https://zmap.io/zmap-talk-sec13.pdf

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  10. Re:But it still can't find my GLASSES by Motard · · Score: 2

    I think this is the first time I've noticed a post moderated -1, Insightful.