Wednesday, April 09, 2014

600,000 servers vulnerable to heartbleed

Just an update on "HeartBleed". Yesterday I updated my "masscan" program to scan for it, and last night we scanned the Internet. We found 28,581,134 machines (28-million) that responded with a valid SSL connection. Of those, only 615,268 (600-thousand) were vulnerable to the HeartBleed bug. We also found 330,531 (300-thousand) machines that had heartbeats enabled, but which did not respond to the heartbleed attack. Presumably, this means a third of machines had been patched by the time we ran the scan last night.

Update: Some people have described this as "only 2% vulnerable". That's an unfair way of describing it. We scanned IP addresses. There are millions of IP addresses where port 443 traffic is redirected to a single load balancer. This throws off our counts.


Tony Carter said...

The title should be 600k IPs vulnerable, right? As a server can have more than one IP and each IP could also host multiple sites (SNI on apache)..

David Humphrey said...

This too assumes that the IP address of the scanning system(s) has not already been blacklisted.

That IP wasn't now was it? :-)