Thursday, May 08, 2014

300k servers vulnerable to Heartbleed one month later

It's been a month since the Heartbleed bug was announced, so I thought I'd rescan the Internet (port 443) to see how many systems remain vulnerable. Whereas my previous scan a month ago found 600,000 vulnerable systems, today's scan found roughly 300,000 thousand systems (318,239 to be precise).

The numbers are a little strange. Last month, I found 28-million systems supporting SSL, but this month I found only 22-million. I suspect the reason is that this time, people detected my Heartbleed "attacks" and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers. (I really need to do a better job detecting that).

Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.

Note: This scan was only port 443. I really should scan for other well-known SSL ports, like SMTP ports. If I get around to that, I'll post the results here.

Note: This was a scan of IPv4 addresses. Scans starting from DNS domain-names produce wildly different results. A lot of news stories focus on things like "the top million domain names", the results of which are unrelated to this scan.

Note: The count "22-million" is that of systems responding to the SSL handshake. There are many more systems that respond to the probe, but which do not talk SSL. Most systems that respond with a SYN-ACK make no further communication. Other's respond with things like Banner on port "SSH-2.0-OpenSSH_4.3" or "HTTP/1.0 403 Forbidden" -- which are not SSL.


Michal Špaček said...

Out of that 300k servers roughly 1% (~3400) is in the Czech Republic alone:

Wheaties said...

1% is not surprising at all. Its a fairly useless statistic.

Unknown said...

How about you post some pictures of the files your finding? It's because you know it's not a bug or a virus. It's a 4096 bit DES-3 algorithm with a password on it and also a piece of software named after myself Patrick_J_Steed and was built and released into Apple's server on February 13th, 2014 while I sat in my house here in Mulberry, Florida. It can control any router, server or microchip at the hardware level. Find new jobs! Your IT knowledge, honesty, credibility and integrity are despicable. Practice singing, "would you like some fries with that?"

Patrick J. Steed

Unknown said...