technology users due to product flaws • Image galleries of open industrial systems • Snapshots of baby monitor cameras • Shaming product vendors • ShellHeartPoodleBleed • Pew Pew Attack Maps
real-world data • Fix endemic security flaws before they get exploited • Prioritize vulnerability research according to impact • Improve open source security tools • Hold vendors accountable • Make the Internet safer • The kids are doing it
scans as attacks • Scanning the internet is resource-intensive • Lots of complaints (legal & physical) • IP addresses constantly shuffle • Processing can be difficult • Skip all of this and use publicly available data!
and public DNS records • 1.0.0.0 to 223.255.255.255 • Exclude reserved & private ranges • Exclude our opt-out list • Scan about 3.7 billion IPv4 addresses • Scans run sequentially, from a single server • Typically span Monday - Friday * Unless you opted out, see https://sonar.labs.rapid7.com/
of IPv4, except for opt-out ranges • UDP scans are throttled to 180,000 pps on average • TCP scans only send the SYN packet • AWS nodes used to grab banners • Data is deduplicated & decoded • Uploaded to https://scans.io/
giant list of hostnames • Pulled from TLD/gTLD zone files • Extracted form SSL certificates (SAN/CN) • Extracted from HTTP scan HTML references • Extracted from PTR records • 1.4 billion records on average
Nobody really knows • Cisco claimed 8.7 billion in 2012, predicted 15 billion in 2015 • Carrier NAT hides a millions of connected nodes • Firewalls and traditional NAT hide the rest • Over 7 billion active mobile phones • IPv6 gateways also do IPv4 NAT
1 billion IPv4 systems are directly connected • ~500 million broadband clients and gateways • ~200 million servers (web, email, database, VPN) • ~200 million mobile devices (phones, tablets) • ~100 million devices (routers, printers, cameras)
unicast nodes • 97.6% of top-level domains have an IPv6 DNS record* • 6.7 million domain names with a top-level AAAA record* • RIPE has issued over 8000 network blocks • HE.net TunnelBroker alone serves 562,000 users * 2015-04-19 Hurricane Electric IPv6 Progress Report http://bgp.he.net/ipv6-progress-report.cgi
that have public exploits • We tracked the % of vulnerable services for libupnp & miniupnp • June 2014 to November 2014 is basically flat… 0% 5% 10% 15% 20% 25% 30% 20140609 20140616 20140630 20140707 20140714 20140729 20140804 20140811 20140818 20140825 20140901 20140908 20140915 20140922 20140929 20141103 20141110 Devices Vulnerable to Exploitable SSDP Stack Overflows (% of total) libupnp/CVE-2012-5959 MiniUPnP/CVE-2013-0230
these issues spiked dramatically • Likely the result of a new broadband ISP deployment • Vulnerability ratio is higher in 2015 than 2014! 0% 10% 20% 30% 40% 50% 60% Devices Vulnerable to Exploitable SSDP Stack Overflows (% of total) libupnp/CVE-2012-5959 MiniUPnP/CVE-2013-0230
be internet-facing in the first place • DrDoS capabilities in addition to exploits • 15+ million SSDP services • Massive amplification • Live stats at SS • https://ssdpscan.shadowserver.org/
OOB server management (iDRAC, iLO, SMC IPMI) • Almost the equivalent of physical access • Keyboard, video, mouse, ISO boot, I2C bus access • Typically Linux running on ARM or MIPS SoCs • Enabled by default on major server brands • Dan Farmer broke the IPMI protocol • http://fish2.org/ipmi/
2013 • This dropped down to ~250,000 as of June 2014 • Leveled off at ~210,000 in January 2015 0 50,000 100,000 150,000 200,000 250,000 300,000 IPMI Exposure
300k to about 65k since 2010 • Provides remote memory access and OS control • Relatively flat exposure level for the last year 0 10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000
decreasing pattern • Some flaws issues got worse after the advisory (NATPMP) • Most things that Sonar measures are not improving • We need vendors to take more responsibility
“dump” scans • These provide a list of all registered programs • Vendors often create proprietary program IDs • These can be used for precise fingerprints
million exposed SIP endpoints • 44% of these are in Germany • 24% of these are in Japan • Digging deeper… Germany 44% Japan 24% Spain 6% USA 4% Other 22%
primary ISPs • All based on the FRITZ!BOX sold by AVM.de • All running variants of the same firmware • Not the best security record • At the least, DDoS potential • At the worst, shells! • 2014 RCE flaw abused for fraud • Likely more bugs...