A team from the University of Michigan has developed a tool that is capable of scanning the entire Internet in under an hour, without the use of special hardware.
Although scans of the entire IPv4 space have been done before, this the first scan that was motivated by security.
In their paper, the researchers say Internet-wide network scanning has many security applications, such as "exposing new vulnerabilities and tracking the adoption of defensive mechanisms", but added that scanning the entire public address space with current tools is both onerous and slow.
The tool is dubbed ZMap, and researchers describe it as "a modular, open source network scanner, specifically architected to perform Internet-wide scans and capable of surveying the entire IPv4 address space in under 45 minutes from user space on a single machine, approaching the theoretical maximum speed of gigabit Ethernet".
According to Threatpost, the team, consisting of assistant professor Alex Halderman, and doctoral candidates Eric Wustrow and Zakir Durumeric, demonstrated ZMap at the USENIX Security conference last week.
The team ran a scan of the Internet, and got results from over 34 million hosts, which they say equates to approximately 98% of the machines on the Web.
They said the tool is specifically designed to bypass the speed obstacles that slowed down some of the Internet-wide scans done before, and the design allows the tool to get both faster response times and better coverage of the target address space.
Putting it to work
The researchers say they have already found a few practical applications for the tool. In 2012, they ran 110 individual scans of the Internet, and found a total of 42 million certificates. Of those certificates, only 6.9 million were trusted by browsers.
According to them, the ability to scan the Internet in under an hour presents a host of new research possibilities, one of which would be the ability to gain visibility into "previously opaque distributed systems, understand protocol adoption at a new resolution, as well as uncover security phenomenon that would only be accessible with a global perspective".
On the negative side, they said high-speed scanning could also be used maliciously, by finding and attacking vulnerable hosts en masse. An example of this, the researchers wrote a custom probe to look for the Universal Plug and Play (UPnP) vulnerability uncovered by HD Moore of Rapid 7, in January. After scanning 15.7 million devices, they found that 3.4 million were still vulnerable.
UPnP is a set of networking protocols intended to allow network devices to automatically find one another and then communicate and share data. "Given that these vulnerable devices can be infected with a single UDP packet, we note that these 3.4 million devices could have been infected in approximately the same length of time," said the researchers.
They added that the time is far faster than network operators could reasonably respond to or patch. With ZMap, it would only have taken a matter of hours from the time of disclosure to infect every publicly available vulnerable host.
"We hope ZMap will elevate Internet-wide scanning from an expensive and time-consuming endeavour to a routine methodology for future security research," the team concluded. "As Internet-wide scanning is conducted more routinely, practitioners must ensure they act as good Internet citizens by minimising risks to networks and hosts, and being responsive to inquiries from traffic recipients."
Share
