How quickly can we scan the entire Internet

A random host on the Internet receives a large number of unsollicited packets. Some of these packets are caused by transmission errors that modify the destination address of the packets or bugs/implementation errors. Still, most of the background Internet noise observed by network telescopes comes from worms that try to propagate or researchers, security experts or attackers trying to find characteristics of remote hosts.

When researchers try to map the Internet, they usually operate slowly. For example, CAIDA takes a few days to send traceroute probes towards all reachable class C networks. The 2012 anonymous Internet Census that exploited a large number of vulnerable routers to serve as probes took months. nmap, the default tool to probe open services on a remote host or network also uses a slow mode of operation. These slow modes of operations are mainly chosen to avoid triggering alarms on the remote sites. A few packets can be easily unnoticed on an entreprise networks, not millions of them.

A recent paper presented at the USENIX 2013 Security symposium takes a completely different approach.

Instead of slowly probing the Internet from one or several hosts, Zakir Durumeric and his colleagues tried to generate probes as quickly as possible. Many university networks contain hosts with 1 Gbps or even 10 Gbps interfaces and high-speed networks in the campus. On such a host, nmap needs more than 100 days to probe the entire IPv4 Internet by sending two probes per destination. zmap is able to perform the same scanning in less than two hours. This is simply the time required to send 2 TCP segments towards each reachable Internet host. With an optimized implementation, it is possible to achieve such high performance provided that no state is maintained on the probing host. Their trick is to encode the state in IP and TCP fields of the segments sent and recover the required state from the received answer. This is similar to the SYN cookies principle in TCP, but used on the client side instead of the server side.

In the paper, they used zmap to probe the Internet to find vulnerable hosts. Unsurprisingly, they were able to found a large number of devices that are vulnerable to know attacks. For example, they probed for an UPnP vulnerability that was reported in early 2013. This vulnerability affected librairies used by 1,500 vendors and 6,900 products and could be exploited by a single UDP packet. In less than two hours, they could find 2.56 million vulnerable devices. This is frightening since attackers could easily reuse similar tools to massively exploit a large number of devices in the future. Given the speed of the available network links and the number of addresses on the IPv4 Internet, this looks like an additional reason to move quickly to IPv6 where brute-force scanning is much more difficult…