SlideShare ist ein Scribd-Unternehmen logo

Fast Internet-Wide Scanning with ZMap in Under 45 Minutes

Sergi Duró
Sergi Duró

ZMap is a tool that allows for fast internet-wide scanning from a single machine. It can scan the entire IPv4 address space in under 45 minutes with 98% coverage. Previous internet-wide scans took much longer. ZMap achieves its speed through an optimized architecture that eliminates per-connection state and transmits probes as fast as possible. This high-speed scanning enables applications like monitoring the HTTPS ecosystem daily and identifying vulnerable devices at scale.

Technologie
1 von 32
Downloaden Sie, um offline zu lesen
ZMap: Fast Internet-Wide Scanning and its Security Applications ZMap Fast Internet-Wide Scanning and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University of Michigan
ZMap: Fast Internet-Wide Scanning and its Security Applications Previous research has shown promise of Internet-wide surveys Internet-Wide Network Studies Mining Ps and Qs: Widespread weak keys in network devices (2012) EFF SSL Observatory: A glimpse at the CA ecosystem (2010) Census and Survey of the Visible Internet (2008)
ZMap: Fast Internet-Wide Scanning and its Security Applications Previous research has shown promise of Internet-wide surveys Internet-Wide Network Studies Mining Ps and Qs: Widespread weak keys in network devices (2012) 25 hours acoss 25 Amazon EC2 Instances (625 CPU-hours) EFF SSL Observatory: A glimpse at the CA ecosystem (2010) 3 months on 3 Linux desktop machines (6500 CPU-hours) Census and Survey of the Visible Internet (2008) 3 months to complete ICMP census (2200 CPU-hours)
ZMap: Fast Internet-Wide Scanning and its Security Applications
ZMap: Fast Internet-Wide Scanning and its Security Applications
ZMap: Fast Internet-Wide Scanning and its Security Applications What if…? What if Internet surveys didn’t require heroic effort? What if we could scan the HTTPS ecosystem every day? What if we wrote a whole-Internet scanner from scratch?
ZMap: Fast Internet-Wide Scanning and its Security Applications Introducing ZMap an open-source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage With Zmap, an Internet-wide TCP SYN scan on port 443 is as easy as: $ zmap –p 443 –o results.txt 34,132,693 listening hosts (took 44m12s) 97% of gigabit Ethernet linespeed
ZMap: Fast Internet-Wide Scanning and its Security Applications Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship
ZMap: Fast Internet-Wide Scanning and its Security Applications ZMap Architecture Existing Network Scanners Reduce state by scanning in batches - Time lost due to blocking - Results lost due to timeouts Track individual hosts and retransmit - Most hosts will not respond Avoid flooding through timing - Time lost waiting Utilize existing OS network stack - Not optimized for immense number of connections ZMap Eliminate local per-connection state - Fully asynchronous components - No blocking except for network Shotgun Scanning Approach - Always send n probes per host Scan widely dispersed targets - Send as fast as network allows Probe-optimized Network Stack - Bypass inefficiencies by generating Ethernet frames
ZMap: Fast Internet-Wide Scanning and its Security Applications Addressing Probes 1. Scan hosts according to random permutation 2. Iterate over multiplicative group of integers modulo p How do we randomly scan addresses without excessive state? Negligible State4 6 23 1 5 4  5 mod 7 = 6 6  5 mod 7 = 2 2  5 mod 7 = 3 3  5 mod 7 = 1 1  5 mod 7 = 5 5  5 mod 7 = 4 1. Primitive Root 2. Current Location 3. First Address
ZMap: Fast Internet-Wide Scanning and its Security Applications Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses receiver MAC address sender MAC address length data V sender IP address data…IHL receiver IP address receiver port sender port sequence number data ack. number … Ethernet IP TCP
ZMap: Fast Internet-Wide Scanning and its Security Applications Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses receiver MAC address sender MAC address length data V sender IP address data…IHL receiver IP address receiver port sender port sequence number data ack. number … Ethernet IP TCP
ZMap: Fast Internet-Wide Scanning and its Security Applications Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses receiver MAC address sender MAC address length data V sender IP address data…IHL receiver IP address sender port sequence number data… ack. number receiver port Ethernet IP TCP
ZMap: Fast Internet-Wide Scanning and its Security Applications Packet Transmission and Receipt 1. ZMap framework handles the hard work 2. Probe modules fill in packet details, interpret responses 3. Output modules allow follow-up or further processing How do we make processing probes easy and fast? Probe Generation Configuration, Addressing, and Timing Response Interpretation Packet Tx (raw socket) Packet Rx (libpcap) Output Handler
ZMap: Fast Internet-Wide Scanning and its Security Applications Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship
ZMap: Fast Internet-Wide Scanning and its Security Applications How fast is too fast? Scan Rate No correlation between hit-rate and scan-rate. Slower scanning does not reveal additional hosts.
ZMap: Fast Internet-Wide Scanning and its Security Applications Is one probe packet sufficient? Coverage Scan Coverage 1 Packet: 97.9% 2 Packets: 98.8% 3 Packets: 99.4% We expect an eventual plateau in responsive hosts, regardless of additional probes. Estimated Ground Truth
ZMap: Fast Internet-Wide Scanning and its Security Applications Comparison with Nmap ZMap is capable of scanning more than 1300 times faster than the most aggressive Nmap default configuration (“insane”) Surprisingly, ZMap also finds more results than Nmap Normalized Coverage Duration (mm:ss) Est. Internet Wide Scan Nmap (1 probe) 81.4% 24:12 62.5 days Nmap (2 probes) 97.8% 45:03 116.3 days ZMap (1 probe) 98.7% 00:10 1:09:35 ZMap (2 probes) 100.0% 00:11 2:12:35 Averages for scanning 1 million random hosts
ZMap: Fast Internet-Wide Scanning and its Security Applications Why does ZMap find more hosts than Nmap? Probe Response Times Response Times 250 ms: < 85% 500 ms: 98.2% 1.0 s: 99.0% 8.2 s: 99.9% 500 ms timeout 250 ms timeout Statelessness leads to both higher performance and increased coverage.
ZMap: Fast Internet-Wide Scanning and its Security Applications Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship
ZMap: Fast Internet-Wide Scanning and its Security Applications ZMap SYN Scan libevent2 OpenSSL Custom Processing Visibility into Distributed Systems ZMap enables us to scan the public HTTPS Ecosystem every day Gaining near real-time perspective into the CA ecosystem Completed 110 scans of the HTTPS ecosystem in the last year We collected more than 42 million unique certificates of which 6.9 million were browser trusted. Identified 2 sets of misissued CA certificates.
ZMap: Fast Internet-Wide Scanning and its Security Applications Tracking Protocol Adoption Examining the growth in global HTTPS adoption June 2012–May 2013 10%  HTTPS servers. 23%  Use on Alexa Top-1M sites. 11%  Browser-trusted certificates.
ZMap: Fast Internet-Wide Scanning and its Security Applications Enumerating Vulnerable Hosts HD Moore disclosed vulnerabilities in several common UPnP frameworks in January 2013. Under 6 hours to code and run UPnP discovery scan. Custom probe module, 150 SLOC. We found that 3.34 M of 15.7 M devices were vulnerable. Compromise possible with a single UDP packet! Discovering UPnP Vulnerabilities En Masse
ZMap: Fast Internet-Wide Scanning and its Security Applications Enumerating Unadvertised Tor Bridges Uncovering Hidden Services Scanning has potential to uncover unadvertised services We perform a Tor handshake with public IPv4 addresses on port 9001 and 443 We identified 86% of live allocated bridges with a single scan Tor has developed obfsproxy that listens on random ports to count this type of attack
ZMap: Fast Internet-Wide Scanning and its Security Applications Further ZMap Potential Further Potential Applications Detect Service Disruptions Track Adoption of Defenses Study Criminal Behavior Other Security Implications Anonymous Communication Track users between IP leases Snapshot of HTTPS outages caused by Hurricane Sandy
ZMap: Fast Internet-Wide Scanning and its Security Applications Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship
ZMap: Fast Internet-Wide Scanning and its Security Applications Ethics of Active Scanning Considerations Impossible to request permission from all owners No IP-level equivalent to robots exclusion standard Administrators may believe that they are under attack Reducing Scan Impact Scan in random order to avoid overwhelming networks Signal benign nature over HTTP and w/ DNS hostnames Honor all requests to be excluded from future scans
ZMap: Fast Internet-Wide Scanning and its Security Applications User Responses Responses from 145 users Blacklisted 91 entities (3.7 M total addresses) 15 hostile responses 2 cases of retaliatory traffic Over 200 Internet-wide scans over the past year (>1 trillion probes) Entity Type Responses Small Business 41 Home User 38 Corporation 17 Academic Institution 22 Government 15 ISP 2 Unknown 10 Total 145
ZMap: Fast Internet-Wide Scanning and its Security Applications Future Work 10gigE Network Surveys TLS Server Name Indication Scanning Exclusion Standards IPv6 Scanning Methdology? Use ZMap to do great research!
ZMap: Fast Internet-Wide Scanning and its Security Applications Public Release Releasing ZMap as a fully documented open source project Downloaded it now from https://zmap.io Scanning the Internet really is as simple as: Be sure you have adequate bandwidth and be a good Internet neighbor! $ zmap –p 443 –o results.txt
ZMap: Fast Internet-Wide Scanning and its Security Applications Conclusion Living in a unique period IPv4 can be quickly, exhaustively scanned IPv6 has not yet been widely deployed ZMap lowers barriers of entry for Internet-wide surveys Now possible to scan the entire IPv4 address space from one host in under 45 minutes with 98% coverage Explored potential applications Ultimately we hope ZMap enables future research
ZMap: Fast Internet-Wide Scanning and its Security Applications ZMap Fast Internet-Wide Scanning and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University of Michigan https://zmap.io

Empfohlen

NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeDeepak Bhojwani
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 

Empfohlen

NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeDeepak Bhojwani
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...
Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...
Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...Jamesadhikaram land matter consultancy 9447464502
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
NMap
NMapNMap
NMapPritesh Raka
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Nmap commands
Nmap commandsNmap commands
Nmap commandsKailash Kumar
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo LogicSumo Logic
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffingguestfa1226
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffersKunal Thakur
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
Zen map
Zen mapZen map
Zen mapharisnaved
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Malware
MalwareMalware
MalwarePiergiorgio Borgogno
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKeshab Nath
 
Zmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationsZmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationslosalamos
 
Virtual Labs SniffingConsider what you have learned so far
Virtual Labs SniffingConsider what you have learned so far Virtual Labs SniffingConsider what you have learned so far
Virtual Labs SniffingConsider what you have learned so far AlleneMcclendon878
 

Weitere ähnliche Inhalte

Was ist angesagt?

Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...
Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...
Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...Jamesadhikaram land matter consultancy 9447464502
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo LogicSumo Logic
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Anpumathews
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKeshab Nath
 

Was ist angesagt? (20)

Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...
Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...
Land Re linquishment (ഭൂമി വിട്ടൊഴിയൽ) പഞ്ചായത്തിന് അധികാരം നൽകിക്കൊണ്ടുള്ള 2...
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
NMap
NMapNMap
NMap
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffing
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 
Zen map
Zen mapZen map
Zen map
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Malware
MalwareMalware
Malware
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 

Ähnlich wie Fast Internet-Wide Scanning with ZMap in Under 45 Minutes

Zmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationsZmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationslosalamos
 
Virtual Labs SniffingConsider what you have learned so far
Virtual Labs SniffingConsider what you have learned so far Virtual Labs SniffingConsider what you have learned so far
Virtual Labs SniffingConsider what you have learned so far AlleneMcclendon878
 
Internets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on ServersInternets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on ServersIRJET Journal
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
Introduction to NBL
Introduction to NBLIntroduction to NBL
Introduction to NBLFei Ji Siao
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESIRJET Journal
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
Nmap & Network sniffing
Nmap & Network sniffingNmap & Network sniffing
Nmap & Network sniffingMukul Sahu
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
SonicWALL Advanced Features
SonicWALL Advanced FeaturesSonicWALL Advanced Features
SonicWALL Advanced FeaturesDavid Perkins
 
Application-engaged Dynamic Orchestration of Optical Network Resources
Application-engaged Dynamic Orchestration of Optical Network ResourcesApplication-engaged Dynamic Orchestration of Optical Network Resources
Application-engaged Dynamic Orchestration of Optical Network ResourcesTal Lavian Ph.D.
 

Ähnlich wie Fast Internet-Wide Scanning with ZMap in Under 45 Minutes (20)

Zmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applicationsZmap fast internet wide scanning and its security applications
Zmap fast internet wide scanning and its security applications
 
Virtual Labs SniffingConsider what you have learned so far
Virtual Labs SniffingConsider what you have learned so far Virtual Labs SniffingConsider what you have learned so far
Virtual Labs SniffingConsider what you have learned so far
 
Contents namp
Contents nampContents namp
Contents namp
 
Contents namp
Contents nampContents namp
Contents namp
 
Internets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on ServersInternets Manage Communication Procedure and Protection that Crash on Servers
Internets Manage Communication Procedure and Protection that Crash on Servers
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
Introduction to NBL
Introduction to NBLIntroduction to NBL
Introduction to NBL
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURES
 
Pro Viva Emmanuel
Pro Viva EmmanuelPro Viva Emmanuel
Pro Viva Emmanuel
 
Day4
Day4Day4
Day4
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
Nmap & Network sniffing
Nmap & Network sniffingNmap & Network sniffing
Nmap & Network sniffing
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
SonicWALL Advanced Features
SonicWALL Advanced FeaturesSonicWALL Advanced Features
SonicWALL Advanced Features
 
Application-engaged Dynamic Orchestration of Optical Network Resources
Application-engaged Dynamic Orchestration of Optical Network ResourcesApplication-engaged Dynamic Orchestration of Optical Network Resources
Application-engaged Dynamic Orchestration of Optical Network Resources
 

Mehr von Sergi Duró

Asterisk admin-guide
Asterisk admin-guideAsterisk admin-guide
Asterisk admin-guideSergi Duró
 
Asterisk 13-reference
Asterisk 13-referenceAsterisk 13-reference
Asterisk 13-referenceSergi Duró
 
Serverguide 14.04
Serverguide 14.04Serverguide 14.04
Serverguide 14.04Sergi Duró
 
Guía para principiantes sobre optimización para motores de búsqueda
Guía para principiantes sobre optimización para motores de búsquedaGuía para principiantes sobre optimización para motores de búsqueda
Guía para principiantes sobre optimización para motores de búsquedaSergi Duró
 
Flexibilidad con scrum
Flexibilidad con scrumFlexibilidad con scrum
Flexibilidad con scrumSergi Duró
 
Varianza y desviación estándar
Varianza y desviación estándarVarianza y desviación estándar
Varianza y desviación estándarSergi Duró
 
Enrutamiento avanzado y control de tráfico en Linux
Enrutamiento avanzado y control de tráfico en LinuxEnrutamiento avanzado y control de tráfico en Linux
Enrutamiento avanzado y control de tráfico en LinuxSergi Duró
 
Serverguide ubuntu11.10
Serverguide ubuntu11.10Serverguide ubuntu11.10
Serverguide ubuntu11.10Sergi Duró
 
Terminal Services in Windows Server® 2008
Terminal Services in Windows Server® 2008Terminal Services in Windows Server® 2008
Terminal Services in Windows Server® 2008Sergi Duró
 
Infrastructure Planning and Design
Infrastructure Planning and DesignInfrastructure Planning and Design
Infrastructure Planning and DesignSergi Duró
 
Energias renovables 2011 2012
Energias renovables 2011 2012Energias renovables 2011 2012
Energias renovables 2011 2012Sergi Duró
 

Mehr von Sergi Duró (14)

Webapp2 2.2
Webapp2 2.2Webapp2 2.2
Webapp2 2.2
 
Asterisk admin-guide
Asterisk admin-guideAsterisk admin-guide
Asterisk admin-guide
 
Asterisk 13-reference
Asterisk 13-referenceAsterisk 13-reference
Asterisk 13-reference
 
Svn book
Svn bookSvn book
Svn book
 
Serverguide 14.04
Serverguide 14.04Serverguide 14.04
Serverguide 14.04
 
Guía para principiantes sobre optimización para motores de búsqueda
Guía para principiantes sobre optimización para motores de búsquedaGuía para principiantes sobre optimización para motores de búsqueda
Guía para principiantes sobre optimización para motores de búsqueda
 
Flexibilidad con scrum
Flexibilidad con scrumFlexibilidad con scrum
Flexibilidad con scrum
 
Varianza y desviación estándar
Varianza y desviación estándarVarianza y desviación estándar
Varianza y desviación estándar
 
Enrutamiento avanzado y control de tráfico en Linux
Enrutamiento avanzado y control de tráfico en LinuxEnrutamiento avanzado y control de tráfico en Linux
Enrutamiento avanzado y control de tráfico en Linux
 
Serverguide ubuntu11.10
Serverguide ubuntu11.10Serverguide ubuntu11.10
Serverguide ubuntu11.10
 
Terminal Services in Windows Server® 2008
Terminal Services in Windows Server® 2008Terminal Services in Windows Server® 2008
Terminal Services in Windows Server® 2008
 
Infrastructure Planning and Design
Infrastructure Planning and DesignInfrastructure Planning and Design
Infrastructure Planning and Design
 
Howto curses
Howto cursesHowto curses
Howto curses
 
Energias renovables 2011 2012
Energias renovables 2011 2012Energias renovables 2011 2012
Energias renovables 2011 2012
 

Kürzlich hochgeladen

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Kürzlich hochgeladen (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Fast Internet-Wide Scanning with ZMap in Under 45 Minutes

  • 1. ZMap: Fast Internet-Wide Scanning and its Security Applications ZMap Fast Internet-Wide Scanning and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University of Michigan
  • 2. ZMap: Fast Internet-Wide Scanning and its Security Applications Previous research has shown promise of Internet-wide surveys Internet-Wide Network Studies Mining Ps and Qs: Widespread weak keys in network devices (2012) EFF SSL Observatory: A glimpse at the CA ecosystem (2010) Census and Survey of the Visible Internet (2008)
  • 3. ZMap: Fast Internet-Wide Scanning and its Security Applications Previous research has shown promise of Internet-wide surveys Internet-Wide Network Studies Mining Ps and Qs: Widespread weak keys in network devices (2012) 25 hours acoss 25 Amazon EC2 Instances (625 CPU-hours) EFF SSL Observatory: A glimpse at the CA ecosystem (2010) 3 months on 3 Linux desktop machines (6500 CPU-hours) Census and Survey of the Visible Internet (2008) 3 months to complete ICMP census (2200 CPU-hours)
  • 4. ZMap: Fast Internet-Wide Scanning and its Security Applications
  • 5. ZMap: Fast Internet-Wide Scanning and its Security Applications
  • 6. ZMap: Fast Internet-Wide Scanning and its Security Applications What if…? What if Internet surveys didn’t require heroic effort? What if we could scan the HTTPS ecosystem every day? What if we wrote a whole-Internet scanner from scratch?
  • 7. ZMap: Fast Internet-Wide Scanning and its Security Applications Introducing ZMap an open-source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage With Zmap, an Internet-wide TCP SYN scan on port 443 is as easy as: $ zmap –p 443 –o results.txt 34,132,693 listening hosts (took 44m12s) 97% of gigabit Ethernet linespeed
  • 8. ZMap: Fast Internet-Wide Scanning and its Security Applications Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship
  • 9. ZMap: Fast Internet-Wide Scanning and its Security Applications ZMap Architecture Existing Network Scanners Reduce state by scanning in batches - Time lost due to blocking - Results lost due to timeouts Track individual hosts and retransmit - Most hosts will not respond Avoid flooding through timing - Time lost waiting Utilize existing OS network stack - Not optimized for immense number of connections ZMap Eliminate local per-connection state - Fully asynchronous components - No blocking except for network Shotgun Scanning Approach - Always send n probes per host Scan widely dispersed targets - Send as fast as network allows Probe-optimized Network Stack - Bypass inefficiencies by generating Ethernet frames
  • 10. ZMap: Fast Internet-Wide Scanning and its Security Applications Addressing Probes 1. Scan hosts according to random permutation 2. Iterate over multiplicative group of integers modulo p How do we randomly scan addresses without excessive state? Negligible State4 6 23 1 5 4  5 mod 7 = 6 6  5 mod 7 = 2 2  5 mod 7 = 3 3  5 mod 7 = 1 1  5 mod 7 = 5 5  5 mod 7 = 4 1. Primitive Root 2. Current Location 3. First Address
  • 11. ZMap: Fast Internet-Wide Scanning and its Security Applications Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses receiver MAC address sender MAC address length data V sender IP address data…IHL receiver IP address receiver port sender port sequence number data ack. number … Ethernet IP TCP
  • 12. ZMap: Fast Internet-Wide Scanning and its Security Applications Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses receiver MAC address sender MAC address length data V sender IP address data…IHL receiver IP address receiver port sender port sequence number data ack. number … Ethernet IP TCP
  • 13. ZMap: Fast Internet-Wide Scanning and its Security Applications Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses receiver MAC address sender MAC address length data V sender IP address data…IHL receiver IP address sender port sequence number data… ack. number receiver port Ethernet IP TCP
  • 14. ZMap: Fast Internet-Wide Scanning and its Security Applications Packet Transmission and Receipt 1. ZMap framework handles the hard work 2. Probe modules fill in packet details, interpret responses 3. Output modules allow follow-up or further processing How do we make processing probes easy and fast? Probe Generation Configuration, Addressing, and Timing Response Interpretation Packet Tx (raw socket) Packet Rx (libpcap) Output Handler
  • 15. ZMap: Fast Internet-Wide Scanning and its Security Applications Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship
  • 16. ZMap: Fast Internet-Wide Scanning and its Security Applications How fast is too fast? Scan Rate No correlation between hit-rate and scan-rate. Slower scanning does not reveal additional hosts.
  • 17. ZMap: Fast Internet-Wide Scanning and its Security Applications Is one probe packet sufficient? Coverage Scan Coverage 1 Packet: 97.9% 2 Packets: 98.8% 3 Packets: 99.4% We expect an eventual plateau in responsive hosts, regardless of additional probes. Estimated Ground Truth
  • 18. ZMap: Fast Internet-Wide Scanning and its Security Applications Comparison with Nmap ZMap is capable of scanning more than 1300 times faster than the most aggressive Nmap default configuration (“insane”) Surprisingly, ZMap also finds more results than Nmap Normalized Coverage Duration (mm:ss) Est. Internet Wide Scan Nmap (1 probe) 81.4% 24:12 62.5 days Nmap (2 probes) 97.8% 45:03 116.3 days ZMap (1 probe) 98.7% 00:10 1:09:35 ZMap (2 probes) 100.0% 00:11 2:12:35 Averages for scanning 1 million random hosts
  • 19. ZMap: Fast Internet-Wide Scanning and its Security Applications Why does ZMap find more hosts than Nmap? Probe Response Times Response Times 250 ms: < 85% 500 ms: 98.2% 1.0 s: 99.0% 8.2 s: 99.9% 500 ms timeout 250 ms timeout Statelessness leads to both higher performance and increased coverage.
  • 20. ZMap: Fast Internet-Wide Scanning and its Security Applications Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship
  • 21. ZMap: Fast Internet-Wide Scanning and its Security Applications ZMap SYN Scan libevent2 OpenSSL Custom Processing Visibility into Distributed Systems ZMap enables us to scan the public HTTPS Ecosystem every day Gaining near real-time perspective into the CA ecosystem Completed 110 scans of the HTTPS ecosystem in the last year We collected more than 42 million unique certificates of which 6.9 million were browser trusted. Identified 2 sets of misissued CA certificates.
  • 22. ZMap: Fast Internet-Wide Scanning and its Security Applications Tracking Protocol Adoption Examining the growth in global HTTPS adoption June 2012–May 2013 10%  HTTPS servers. 23%  Use on Alexa Top-1M sites. 11%  Browser-trusted certificates.
  • 23. ZMap: Fast Internet-Wide Scanning and its Security Applications Enumerating Vulnerable Hosts HD Moore disclosed vulnerabilities in several common UPnP frameworks in January 2013. Under 6 hours to code and run UPnP discovery scan. Custom probe module, 150 SLOC. We found that 3.34 M of 15.7 M devices were vulnerable. Compromise possible with a single UDP packet! Discovering UPnP Vulnerabilities En Masse
  • 24. ZMap: Fast Internet-Wide Scanning and its Security Applications Enumerating Unadvertised Tor Bridges Uncovering Hidden Services Scanning has potential to uncover unadvertised services We perform a Tor handshake with public IPv4 addresses on port 9001 and 443 We identified 86% of live allocated bridges with a single scan Tor has developed obfsproxy that listens on random ports to count this type of attack
  • 25. ZMap: Fast Internet-Wide Scanning and its Security Applications Further ZMap Potential Further Potential Applications Detect Service Disruptions Track Adoption of Defenses Study Criminal Behavior Other Security Implications Anonymous Communication Track users between IP leases Snapshot of HTTPS outages caused by Hurricane Sandy
  • 26. ZMap: Fast Internet-Wide Scanning and its Security Applications Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship
  • 27. ZMap: Fast Internet-Wide Scanning and its Security Applications Ethics of Active Scanning Considerations Impossible to request permission from all owners No IP-level equivalent to robots exclusion standard Administrators may believe that they are under attack Reducing Scan Impact Scan in random order to avoid overwhelming networks Signal benign nature over HTTP and w/ DNS hostnames Honor all requests to be excluded from future scans
  • 28. ZMap: Fast Internet-Wide Scanning and its Security Applications User Responses Responses from 145 users Blacklisted 91 entities (3.7 M total addresses) 15 hostile responses 2 cases of retaliatory traffic Over 200 Internet-wide scans over the past year (>1 trillion probes) Entity Type Responses Small Business 41 Home User 38 Corporation 17 Academic Institution 22 Government 15 ISP 2 Unknown 10 Total 145
  • 29. ZMap: Fast Internet-Wide Scanning and its Security Applications Future Work 10gigE Network Surveys TLS Server Name Indication Scanning Exclusion Standards IPv6 Scanning Methdology? Use ZMap to do great research!
  • 30. ZMap: Fast Internet-Wide Scanning and its Security Applications Public Release Releasing ZMap as a fully documented open source project Downloaded it now from https://zmap.io Scanning the Internet really is as simple as: Be sure you have adequate bandwidth and be a good Internet neighbor! $ zmap –p 443 –o results.txt
  • 31. ZMap: Fast Internet-Wide Scanning and its Security Applications Conclusion Living in a unique period IPv4 can be quickly, exhaustively scanned IPv6 has not yet been widely deployed ZMap lowers barriers of entry for Internet-wide surveys Now possible to scan the entire IPv4 address space from one host in under 45 minutes with 98% coverage Explored potential applications Ultimately we hope ZMap enables future research
  • 32. ZMap: Fast Internet-Wide Scanning and its Security Applications ZMap Fast Internet-Wide Scanning and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University of Michigan https://zmap.io