Become a fan of Slashdot on Facebook


Forgot your password?
The Internet Security

Researchers Release Tool That Can Scan the Entire Internet In Under an Hour 97

dstates writes "A team of researchers at the University of Michigan has released Zmap, a tool that allows an ordinary server to scan every address on the Internet in just 45 minutes. This is a task that used to take months, but now is accessible to anyone with a fast internet connection. In their announcement Friday , at the Usenix security conference in Washington they provide interesting examples tracking HTTPS deployment over time, the effects of Hurricane Sandy on Internet infrastructure, but also rapid identification of vulnerable hosts for security exploits. A Washington Post Blog discussing the work shows examples of the rate with which of computers on the Internet have been patched to fix Universal Plug and Play, 'Debian weak key' and 'factorable RSA keys' vulnerabilities. Unfortunately, in each case it takes years to deploy patches and in the case of UPnP devices, they found 2.56 million (16.7 percent) devices on the Internet had not yet upgraded years after the vulnerability had been described."
This discussion has been archived. No new comments can be posted.

Researchers Release Tool That Can Scan the Entire Internet In Under an Hour

Comments Filter:
  • doesn't add up (Score:3, Interesting)

    by Anonymous Coward on Monday August 19, 2013 @09:37AM (#44606709)

    > 2.56 million (16.7 percent) devices on the Internet had not yet upgraded years after the vulnerability had been described."

    Something doesn't add up here. Is TFS saying that there are only 15 million devices on the internet? I'm pretty sure the number is bigger than that.

    • I'd assume they meant 16.7% of UPnP devices but even then the number seems low.

    • by Anonymous Coward

      No, it's saying there's 15.7 million devices exposing UPNP, out of which 16.7% are vulnerable.

    • The sentence is a bit ambiguous; but it could be read to mean that there are ~15 million UPnP devices (or even ~15 million UPnP devices that started with the vulnerability for which the patch was available) on the public internet. That would seem slightly more plausible; though the sentence itself isn't very clear.
      • Re:doesn't add up (Score:5, Informative)

        by Anonymous Coward on Monday August 19, 2013 @09:45AM (#44606759)

        TFS should have just quoted the entire sentence then; from TFA: "Out of 15.7 UPnP devices, they found 2.56 million (16.7 percent) had not yet upgraded."

        • by Anonymous Coward
          Exactly... Christ forbid that people actually read the article before they start to pick apart a bad summary.

          But then we are living in a generation that thinks they can really understand complex weather patterns and climatology after watching a two hour (more like 1.4 hours after commercials) TV program that is hosted by someone who doesn't have a hard science degree, Al Gore.

          All hail the new age of enlightenment!
    • by Anonymous Coward on Monday August 19, 2013 @09:46AM (#44606763)

      That's how they're able to scan it all in just 45 minutes, they are using a much smaller internet. Perhaps this tool uses some kind of temporal protocol that allows it to communicate with the internet of 25 years ago.

    • by gl4ss ( 559668 )

      of a particular make/model maybe..

    • by Bogtha ( 906264 )

      I would expect from the context of the rest of the sentence, that it's 15m devices on the Internet with UPnP.

  • by mysticalreaper ( 93971 ) on Monday August 19, 2013 @09:46AM (#44606761)

    Sure, scanning 4 billion addresses in a hour sounds like a lot of data, but conceivable with today's high-speed computers and tech.

    But 3.4 x 10^29 billion addresses, as contained in IPv6? Not the same feasibility at all.

    • by Anonymous Coward

      Actually, no it's not. With 4 billion addresses: (2^32-1)/60/60 = ~1193046.5 addresses per second. Considering there are only 2^16-1 ports on your system. Of which a few 100s or 1000s are taken by internal handles. I don't see how it's possible on any "ordinary server".

      • UDP? A single UDP port on my local box can send UDP packets to any host/port on the internet.

        • by Bacon Bits ( 926911 ) on Monday August 19, 2013 @11:36AM (#44607903)

          I don't think ports are a limitation. As is common with IPv6, I don't think people appreciate the difference in scale.

          The header alone for IPv6 is 40 bytes. IPv6 is 2^128 addresses. 40 * 2^128 / 2^80 = 40 * 2^48 = 11,258,999,068,426,240 YiB (Yobibytes). Just for header data. Even if you use some kind of magic multicasting magic to send the packets, you've still got to get that much header data back. At a transfer speed of 1 Yibps (yebibit per second), it would take 2.8 billion years to transfer all those packets. Then you have to store that data. Just storing every possible IPv6 address as a 128 bit number would take at least 4,503,599,627,370,496 YiB.

          Nobody has pipes that fat. Nobody has disks that big.

          Compare that to IPv4:
          The header is 20-24 bytes. IPv4 is 2^32 addresses. 20 * 2^32 / 2^30 = 80 GiB. That's a completely reasonable amount of data to push in 45 minutes or to store on disk.

          • by CODiNE ( 27417 )

            How about if you were scanning for a particular vulnerability and saved only 1 bit per address?

            That would be 2^48 / 8 bytes?
            2 ^ 48 / 2 = 2 ^ 47
            2 ^ 47 / 2 = 2 ^ 46
            2 ^ 46 / 2 = 2 ^ 45 = 35TB?

            (Note I don't know what the / 2 ^ 80 step was all about so this might be waaaaay off)

            • by bbn ( 172659 )

              There are actually 2^128 possible IPv6 addresses. Ok, then you can cut it down by looking at BGP etc as proposed. But consider that the minimum IPv6 network every user gets is a /64 = every user has 2^64 addresses on his home network, just scanning one single user is not feasible. Not to even think of scanning the entire internet.

              You can split an IPv6 address into blocks. The first 32 bits tells you what ISP. This is the part where the BGP trick can help. The next 32 bits is the network number. And the rema

              • Many current home routers assign DHCP as follows:
                Router is
                DHCP devices are .2, .3, etc, assigned sequentially. Some start at 100.

                So you can scan the first few addresses, and if you don't get a hit you move on to the next /64. It's simpler to code your DHCP server to assign addresses sequentially than randomly, so it will get done that way to save money.
      • you aren't thinking fourth dimensionally, Marty.

        Suppose, for example, my server had 128 virtual IP addresses its single interface.....

    • by schneidafunk ( 795759 ) on Monday August 19, 2013 @10:03AM (#44606935)
      "an open source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage- With Zmap, an Internet- wide TCP SYN s can on port 443 is as easy as: $ zmap – p 443 – o results.txt
      34,132,693 listening hosts (took 44m12s)"
    • Yes, they only are scanning the IPv4 internet, per page 7 of the PDF linked to in the slashdot article:

      Introducing ZMap, an open source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage

  • by Anonymous Coward

    Pretty sure the problem with UPnP in consumer routers is simply that consumers generally just don't know about the issue. Even if they did know most will have no idea where to start looking to upgrade their devices firmware (if an update is even available). Most consumers walked into the store and the sales rep told them they could connect the to the magic box. The same reason (to this day) that users are running with the default device username/password (admin:admin anyone?) and with the shared key that w

    • by Anonymous Coward
      True. I was just looking at the WiFi spectrum at one end of my house yesterday and out of a total of 12 access points (seen at one time; there are more than that with weak enough signals that they appear and disappear from the analyzer), only 4 of them had non-default names. This was the 2.4 Ghz spectrum. Two of the people using non-default were also idiots. One was using channel 3, the other was using channel 7. The rest were correctly using channels 1, 6, and 11. (The three non-overlapping channels availa
  • Oh, do they mean the IPv4 Internet?

    tl;dr If you blindly and extremely unneighbourly fire off several packets at every single public IPv4 address in non-sequential order to saturate a fat network pipe, it doesn't take much time to get a lot of shit back.

    And of course if you have a not completely crap IDS then anything probing your organisation's entire public space within an hour is going to be detected.

    Why are they comparing with nmap? That's not designed for probing the entire Internet.

  • Probably they run a lot deeper, but a world map with all those vulnerable systems everywhere probably is in the hand of NSA, any major government intelligence services, and all major hacking groups already. This kind of tool could work as temperature map for the public to know what kind of things avoid that are vulnerable in big numbers (something like OWASP top ten []), or how vulnerable is a region.

    And between the things people must worry about are cameras [], that are accessible from internet, with present or

  • by Bucc5062 ( 856482 ) <bucc5062 AT gmail DOT com> on Monday August 19, 2013 @10:02AM (#44606925)

    I can see it now, a multitude of /.ers downloading, installing then running the program, playing with probe settings to the point where the whole Internet (yes, more then just Web) is brought down by the /. effect

    • Still better than how I first read the headline: "Researchers Release Tool That Can Sue the Entire Internet In Under an Hour"
    • It'd be funnier if everyone just scanned slashdot, and slashdotted slashdot.

    • Maybe it will, especially if people have high bandwidth connections. But I suspect most people will be on ADSL or cable.

      Now the default zmap syn scan uploads 432 bits (54 bytes) per packet, that's 14 bytes Ethernet frame, 20 bytes IP and 20 bytes TCP. Which means the full 2^32 IPv4 address range needs 1.855 Terabits upload. That's 0.51 hours at 1 Gbit/sec, or 5.15 hours at 100 Mbit/sec, or 51.5 hours at 10 Mbit/sec, or 515 hours (21.5 days) at a more common ADSL uplink of 1 Mbit/sec. Remember the A in ADSL

  • You have reached the end of the Internet... But in all honestly, I wonder how long it will take for an iptable rule to come out and auto drop packets seen from the scanner? Since there is some TCP manipulation involved, I sense that it won't be to hard.
    • I was interested to see what TCP manipulation you were referring to, so I read into the abstract a little. I've never fully dug into the details of how nmap works, but it seems nmap and zmap use nearly identical techniques: sending out packets using a raw socket which bypasses the kernel, then libpcap to capture results. The novelty here is that zmap is written specifically to "scan the internet" while nmap is more of a multi-purpose utility and just isn't as efficient at this particular function. Additiona
      • That's not exactly true. You might get a single scan or two, but large services who have farms can easily have a firewall that interconnects an array of different IP's. When a syn is left hanging an IPS can easily craft a rule to block further connections from that address. So you'll get a few replies, but you'll miss the rest. Likewise, there are services out there (ISC?) that track such activities and site block abusive IP's based on netflows. If someone employed this scanner, they'll likely hit the radar
  • by Anonymous Coward on Monday August 19, 2013 @10:51AM (#44607447)

    Please look into "scanrand" software. I used it with nmap combination to scan entire Internet range for under few hours, about 7 YEARS ago.

      The Paketto Keiretsu is a collection of tools that use new and unusual
        strategies for manipulating TCP/IP networks. scanrand is said to be
        faster than nmap and more useful in some scenarios.
        This package includes:
            * scanrand, a very fast port, host, and network trace scanner
            * minewt, a user space NAT/MAT (MAC Address Translation) gateway
            * linkcat(lc), that provides direct access to the network (Level 2)
            * paratrace, a "traceroute"-like tool using existing TCP connections
            * phentropy, that plots a large data source onto a 3D matrix

  • by sl4shd0rk ( 755837 ) on Monday August 19, 2013 @11:56AM (#44608063)

    A little overly sensational. PC hardware is no way going to push 1.4M PPS*. I don't know the exact figures but asking a cable/DSL modem to push that many packets seems ludicrous. Good luck "scanning the entire" internet from your PC.

    [*] - []

  • Cause I can't find my Geocities page. It seems to have disappeared and I can't find it anywhere...
  • by Anonymous Coward

    Perhaps they can scan the entire IPv4 address space, but certainly not IPv6. IPv6 has more than 7.9×10^28 TIMES as many IP addresses as IPv4.

  • I presume this doesn't work with NAT, so the "scan the entire Internet" is a bit misleading. That said, nice job. What would happen of you ran the scanner on a million systems all at once?

  • a) ... it can do a port-scan, not a content-scan
    b) ... in IPv4 space
    c) ... when supplied with unspecified bandwidth

  • ... who are behind the machines hosted at which have been attacking port 443 on my router with bogus requests and clogging my log files with messages like "peer did not return a certificate".

    Go away. Just go away.

Thufir's a Harkonnen now.