Monday, May 30, 2016

Doing a 'full scan' of the Internet right now

So I'm doing a "full" scan of the Internet, all TCP ports 0-65535 on all addresses. This explains the odd stuff you see from 209.126.230.7x.


I'm scanning at only 125kpps from 4 source IP addresses, or roughly 30kpps from each source address. This is so that I'll get below many thresholds for IDSs, which trigger when they see fast scans from a single address. The issue isn't to avoid detection, but to avoid generating work for people who get unnecessarily paranoid about the noise they see in their IDS logs.

This scan won't finish at this speed, of course, it won't get even close. Technically, it'd take 50 years to complete at this rate.

The point isn't create a comprehensive scan, but to do sampling scan. I'll let it run a week like this, which will get 0.1% of the Internet, and then stop the scan.

What am I looking for? I don't know. I'm just doing something weird in order to see what happens. With that said, I am testing any port I connect to with Heartbleed. This should give us an estimation of how many Internet-of-Things devices are still vulnerable to that bug. I'm also interested to see how many things allow connections to port 0.

I'm also interested in see those devices/firewalls that respond with a SYN-ACK to any SYN. That's why, in the above picture, the "found" count is so high. I haven't actually found many real things, but it looks like it because these devices send SYN-ACKs without actually establishing TCP connections.

Anyway, send me a tweet @erratarob with information on how you perceive this incoming scan. Is your firewall and IDS handling it well? or do you have messed up configuration/policies where this causes more noise/concern than is warranted?



Update: This is the sort of thing I find doing this random scan, an OpenVPN accelerator that still hasn't been patched for Heartbleed:


Again, the point isn't find these devices specficially, but to estimate how many of this sort of thing is out there.



Update: At this early point, it looks like VNC is found much more often on random ports than it is on the official port of 5900.


6 comments:

Travelling Gwillimbury said...

Could you continue the scan for 25 years, That's how long it will take to reach my IP. I will be patiently waiting and shoot you a email ( If they still call it that ) when it shows up in my logs.

the vampire's dream said...

i'm going to have to wait a bit longer than even scott... :)

on average, i've found that if you put a new server up, it takes approx 10-15 minutes for it to have some worm scan it...

uair01 said...

Do you get angry e-mails?
NB: My provider has anti-botnet filters and if I do naughty things I'm shut off automatically and then have to beg their helpdesk for forgiveness :-)

Travelling Gwillimbury said...

I would be interested in finding out how many of those IP's try to scan you. Also if there is any retaliation or malicious activity related to the scans.

I have bookmarked this page to see if you update it.

If you do update it could you provide a link on this page to any updates.

Unknown said...

Dude don't do a full scan on the internet. It will rattle the FBI.

Travelling Gwillimbury said...

You might want to sanitize you update about VNC