scanning the Internet

Dan Kohn dan@teledesic.com
Sat, 21 Aug 1999 19:30:43 -0700 

I've searched Security Focus, but can't find the article.  This link
<http://www.securityfocus.com/templates/announcement.html?id=17> seems to be
broken.  Do you have the article?  TIA.

		- dan
--
Daniel Kohn <mailto:dan@dankohn.com>
+1-425-519-7968 (voice)   602-6223 (fax)
http://www.dankohn.com


-----Original Message-----
From: kragen@pobox.com [mailto:kragen@pobox.com]
Sent: Thursday, 1999-08-19 13:02
To: kragen-tol@kragen.dnaco.net
Subject: scanning the Internet


SecurityFocus just published a paper on the Internet Auditing project
at
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id
=94
.  The authors claim to have scanned 36 million hosts on the Internet for
each of 18 common vulnerabilities (most of which were remote-root
vulnerabilities.)  The results: 450,000 vulnerabilities.

They also got one of their machines cracked, apparently in response to
the scan; someone logged in with a stolen ssh key, cracked root,
backdoored the system, falsified the log files, and logged off, in 8
seconds.

They expressed concern that the 36 million hosts might not be the whole
publicly-reachable Internet; they guessed it was 85%.  (They made their
list mostly from DNS.)

Suppose you wanted to find every host that was on the
publicly-reachable Internet.  The most likely method is to send some
packet to each one of the valid IP addresses and see if you get a reply.

There are 2^32 addresses; that's 4294967296 addresses.  You could
probably elicit a reply from most of them with a spoofed TCP ACK
packet, even many of those behind firewalls; that's 40 bytes per host,
or 171,798,691,840 bytes.  On a 14.4kbps uncompressed modem connection,
which is 1440 bytes per second, that's 119,304,647.1 seconds' worth of
transmission.  That's almost 1381 days, or 3 years and 285 days.

So ten guys with 14.4 modems could do it in twenty weeks.  Guys with
33.6 modems could work twice as fast.  One guy with a T1 could do it in
916,260 seconds, or a little more than ten days.  Somebody with a
100Mbps Ethernet connection at a NAP or Above.net (which would
effectively be around a 20Mbps connection for such small packets, I
think -- I'll look it up some other time) would need 1073.7 seconds, or
about eighteen minutes.  Presumably someone who cracked a machine at
one of these locations would be able to do this and download their
results (a run-length-encoded bitmap would probably be about a byte per
host at worst, so 70 million hosts would be 70 megabytes -- a few
seconds to download) before being noticed.

You might want to do more sophisticated stuff in some cases; if you
really want to audit well, you need to scan all the machines that
occasionally show up on dialups or DHCP.  This means you need to
identify dynamic-IP ranges and scan them repeatedly.

This paper made me very paranoid; there are surely guys running around
out there who are smart enough to do such a scan and then do
distributed vulnerability scanning and exploit the results; probably a
few of them are self-righteous enough to believe they should do this.

This makes me wonder: how many of the hosts on the Internet *aren't*
compromised?

-- 
<kragen@pobox.com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
Thu Aug 19 1999
81 days until the Internet stock bubble bursts on Monday, 1999-11-08.
<URL:http://www.pobox.com/~kragen/bubble.html>


-- 
Unsubscribes to kragen-tol-unsubscribe@kragen.dnaco.net; public followups to
kragen-discuss@kragen.dnaco.net.