scanning the Internet
Sat, 21 Aug 1999 19:30:43 -0700
I've searched Security Focus, but can't find the article. This link
<http://www.securityfocus.com/templates/announcement.html?id=17> seems to be
broken. Do you have the article? TIA.
Daniel Kohn <mailto:firstname.lastname@example.org>
+1-425-519-7968 (voice) 602-6223 (fax)
From: email@example.com [mailto:firstname.lastname@example.org]
Sent: Thursday, 1999-08-19 13:02
Subject: scanning the Internet
SecurityFocus just published a paper on the Internet Auditing project
. The authors claim to have scanned 36 million hosts on the Internet for
each of 18 common vulnerabilities (most of which were remote-root
vulnerabilities.) The results: 450,000 vulnerabilities.
They also got one of their machines cracked, apparently in response to
the scan; someone logged in with a stolen ssh key, cracked root,
backdoored the system, falsified the log files, and logged off, in 8
They expressed concern that the 36 million hosts might not be the whole
publicly-reachable Internet; they guessed it was 85%. (They made their
list mostly from DNS.)
Suppose you wanted to find every host that was on the
publicly-reachable Internet. The most likely method is to send some
packet to each one of the valid IP addresses and see if you get a reply.
There are 2^32 addresses; that's 4294967296 addresses. You could
probably elicit a reply from most of them with a spoofed TCP ACK
packet, even many of those behind firewalls; that's 40 bytes per host,
or 171,798,691,840 bytes. On a 14.4kbps uncompressed modem connection,
which is 1440 bytes per second, that's 119,304,647.1 seconds' worth of
transmission. That's almost 1381 days, or 3 years and 285 days.
So ten guys with 14.4 modems could do it in twenty weeks. Guys with
33.6 modems could work twice as fast. One guy with a T1 could do it in
916,260 seconds, or a little more than ten days. Somebody with a
100Mbps Ethernet connection at a NAP or Above.net (which would
effectively be around a 20Mbps connection for such small packets, I
think -- I'll look it up some other time) would need 1073.7 seconds, or
about eighteen minutes. Presumably someone who cracked a machine at
one of these locations would be able to do this and download their
results (a run-length-encoded bitmap would probably be about a byte per
host at worst, so 70 million hosts would be 70 megabytes -- a few
seconds to download) before being noticed.
You might want to do more sophisticated stuff in some cases; if you
really want to audit well, you need to scan all the machines that
occasionally show up on dialups or DHCP. This means you need to
identify dynamic-IP ranges and scan them repeatedly.
This paper made me very paranoid; there are surely guys running around
out there who are smart enough to do such a scan and then do
distributed vulnerability scanning and exploit the results; probably a
few of them are self-righteous enough to believe they should do this.
This makes me wonder: how many of the hosts on the Internet *aren't*
<email@example.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
Thu Aug 19 1999
81 days until the Internet stock bubble bursts on Monday, 1999-11-08.
Unsubscribes to firstname.lastname@example.org; public followups to