This presentation walks through recent research into large-scale internet scanning and some of the highlights to date. The video is also available online at http://www.youtube.com/watch?v=b-uPh99whw4
36.4 million hosts over the course of 20 days • Tested 18 vulnerabilities and confirmed 730 thousand • Over 450,000 thousand hosts found vulnerable IAP / BASS: http://www.decuslib.com/decus/vmslt99a/sec/bass.txt
2.6 Million TELNET 4 Million (?) HTTP 65 Million HTTPS 83 Million SNMP 3.3 Million SIP 3.5 Million UPNP 3.5 Million Port Distribution FTP SSH TELNET HTTP HTTPS SNMP SIP UPNP * Shodan has massively expanded coverage since my project was started
• 4Gb of RAM can hold 256 states per IP • Only 3.2 billion are actually used Sending a single packet to everything online • 50,000 pps per cheap server, 24 hours == 4 billion IPs • $7 dollars (or less)
list of IP addresses from standard input • Take a packet data file, port, and packet rate • Spray packets into the ether & print output Happy with limited processing resources • Runs well on 128Mb RAM VPS nodes in Russia
attackers” list • Over 1,700 abuse complaints to date • Created an opt-out program: http://critical.io/ • 1 of 5 ISPs formally shut me off • Huge thanks to two ISPs – SingleHop.net – Linode.com
excessive amount of port snooping coming from your system(s), and I should allow this on your word alone? Since when did you become my big brother? Are you related to Obama? Ironically, since the days you have begun your independent scans we have received a few DDOS attacks using udp_app port 53 traffic.....any correlation? Please identify your customer operating from the above address at the time mentioned, and terminate immediately his hacking activities. Please prevent him from continuing his hacking activities in the future as well. Due to the potential severity of this incident, we have reported it to the Computer Emergency Response Team (CERT) in United States (US) and Denmark.
• Around 700GB of raw data over four months • Normalized to 330GB of Bzip2 record streams Data is loaded into MongoDB & ElasticSearch • Mongo: State table of last data for every IP:Port • Elastic: Every unique record indexed (MD5 data) • Mongo: Every record on its own
Over 550 million unique TCP & UDP service banners • Scanned ALL addresses for UDP services • Random sampling for TCP services Web services are the most commonly found banner • 145 million over ports 80, 8080, and 443
• Routes, addresses, listening ports • Running processes and services • Installed software and patches • Accounts and group names • DDoS via amplification
SSDP probes • Close to a dozen unique UPNP SDKs represented • Quite a few expose the SOAP service externally • Almost half based on the Intel SDK (1.2)
• Exposes hundreds of different devices • Planes, Mars rovers, VoIP phones • Read, write, execute memory • Over 250,000 found in July of 2010… 2012: 200,000
Requires specific versions and architectures • Combined versions with OS fingerprint • Around 90,000 servers vulnerable (August 15th 2012) • Instant data loss
identified • Over 50% of these configured with SSH open • Static and exposed SSH private key • Remote root in one SSH attempt • Published June 6th, 2012
“public” • Over 18,000 of these with “private” – Write access provides full control – Read and write running config – Extract passwords – Enable services – Rootkit – Sniff