If those numbers don’t mean much to you, here’s a simple example based on the use of those NTP servers to perform a massive DDoS. Of these, the ratio of HTTP server tags returned are: ~51% Apache, ~31% Akamai and ~13% Nginx.30 million HTTP servers (understand unique IP), with more than 100K geo-located in Switzerland.Over 400K devices running the SCADA-related Modbus protocol, of which 67% are located in the US.Over 70K devices run the SCADA-related Bacnet protocol, of which 51% located in the US and 24% in China.More than 500K NTP servers run a vulnerable version of ntpd. This represents 98% of all servers running ntpd on the Internet … Update, anyone?.Over 500K misconfigured NTP servers that could be abused through the MONLIST command in order to perform massive DDoS attacks.Almost 4 million unique NTP servers out there responding to our probes.The most interesting statistics are actually the results of our analysis, for instance: Over 60 terabytes of traffic to store (and growing …).Currently 266 ranges have been added to our opt-out list (~3M IPs).We also provide each complainant with an opt-out in case our probes represent an issue. Over 180 abuse letters to which we always responded personally.Running those scans daily does generate a lot of data - but it also represents a lot of administrative work: NTP and its vulnerabilities (CVE-2001-0414, monlist, readvar, …).So if you are wondering what all that was for, here is some information: You might even have contacted us through our abuse email regarding those probes.
If you’ve been running an IDS, it’s more than likely that you have seen our probes go by. We’ve been performing port scanning and fingerprinting on different protocols and services for a little over 6 months now. Once you’re set up with the tools and the bandwidth, you can begin gathering data. Once again, tools such as zmap, masscan, or sinn are designed with these considerations in mind. The time needed to send a single TCP SYN packet to each of these addresses greatly depends on the available bandwidth, for example:Ĭonsequently, speed is tightly related to how much bandwidth you are willing to dedicate to your scanning processes, as well as your tools’ ability to fill all bandwidth at your disposal.
In order to get an idea of what a good pipe is, you must consider that there are about 3.5 billion reachable IP addresses on IPv4. This would include, for instance, using multiple source IPs, randomizing target ranges, etc A good understanding of Internet routing protocol in order to implement simple tricks to avoid clogging up routers on your traffic’s path to its destination.A good scheduler that is able to handle various scanners (such as the ones mentioned above) as well as the synchronization of the entire process, including but not limited to: sending packets, capturing responses, storing pcaps/data, and indexing payloads.An indexing solution to easily retrieve interesting results and stats.A nice, big expanse of storage to save all the captured data (with redundancy if possible).Getting your own AS would allow you to handle abuse letters directly and avoid unscheduled network cuts. An understanding ISP or, better still, cutting the middle man out altogether.A good pipe: if you’re sending over a million packets a second, a home connection is not going to cut it - and it’s more than likely to cause you trouble -).Port scanners that are able to scan at wirespeed such as zmap, masscan, sinn. Whereas nmap would take you months to run your scan, these tools are built to cover a lot of ground in comparatively little time.So what do you actually need to port scan IPv4 continuously? You have to be as stealthy as possible if you want to avoid (too much) administrative burden, such as having to handle abuse letters.You need to be fast if you want daily results things like your bandwidth and choice of scanning tools start becoming essential considerations.Operations of that scale tend to be much more challenging: While port-scanning a few hosts here and there with nmap can be fun and usually quite easy, doing the same cannot be said when scanning the entire IPv4 address space. However, the results of such an exercise are well worth the burden … read more to find out … Tl dr Port scanning the entire IPv4 address space daily for months at a time generates a lot of very juicy data - and more than a few administrative complains.
0 kommentar(er)
