
Here’s what you find when you scan the entire Internet in an hour - anxiouser
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/18/heres-what-you-find-when-you-scan-the-entire-internet-in-an-hour/
======
dmckeon
People willing to exploit insecure sites may be able to scan faster - legality
is a different issue.

[http://census2012.sourceforge.net/paper.html](http://census2012.sourceforge.net/paper.html)

 _Starting with one device and assuming a scan speed of ten IP addresses per
second, it [the scanner] should find the next open device within one hour. The
scan rate would be doubled if we deployed a scanner to the newly found device.
... We did this in the least invasive way possible ...._

I wonder if/when attaching a widely accessible and easily exploitable device
will be considered illegal (attractive nuisance, negligence, public nuisance,
contribution to a crime)?

To leap to a car analogy, if a driver leaves the keys in a vehicle ignition,
and the vehicle is stolen and used to commit some other crime, does the driver
face criminal penalties or civil liability?

Should a computer vendor or user who neglects to secure their systems or
network face penalties or liability? Should external entities do wide scans to
encourage better security? I think that a "name and shame" approach aimed at
vendors who ship or install insecure-by-default systems could be effective.

~~~
guard-of-terra
You should not be criminally liable for something that was merely caused by
your actions.

[http://en.wikipedia.org/wiki/Strict_liability_%28criminal%29](http://en.wikipedia.org/wiki/Strict_liability_%28criminal%29)

------
andrewljohnson
Thread from yesterday linking to the actual lib:
[https://news.ycombinator.com/item?id=6226105](https://news.ycombinator.com/item?id=6226105)

------
w_larsen
reading the article, it might seem that it's some sort of futuristic
technology, but it's been used since 2002 (scanrand)

the downside of stateless portscanning is that you are trading speed for false
negatives.

~~~
gruseom
_the downside of stateless portscanning is that you are trading speed for
false negatives_

That's interesting. Could you explain this in a bit more detail? Unless I
missed it, the thread from yesterday didn't discuss this.

~~~
groby_b
Since it's stateless, all info is encoded in the outgoing packet. If the
outgoing packet (or the reply to it) is lost, it will look exactly the same as
if the server didn't respond - after all, the scanning tool has no local
state, and thus can't track if an address has been pinged/re-ping it. The port
map is entirely drawn based on incoming packets.

~~~
perbu
I don't know how they progress through the IP space, but couldn't they simply
solve this by doing it in a deterministic manner? At progress N they should
easily be able to tell that A has been scanned. Iterating three times through
the IP space all IPs that haven't answered should have gotten the connection
attempts.

~~~
hmsimha
That might introduce the same overhead that maintaining state does in the
first place. It sounds like they're sending out at least a million requests
per second.

------
UVB-76
I'd be interested to see how these, apparently rather frequent, port scanning
exercises are being factored into 'attempted cyperattack' statistics.

~~~
dsuth
New scanning technique shows sharp increase in internet scans!

------
pbrumm
This looks like the code for the project

    
    
       https://github.com/zmap/zmap

------
jnazario
reminds me of dscan, originally from about 2003 or so, which itself was built
around the time of scanrand.

[https://github.com/dugsong/dscan](https://github.com/dugsong/dscan)

------
DanBC
> ZMap is capable of performing a complete scan of the IPv4 address space in
> under 45 minutes, approaching the theoretical limit of gigabit Ethernet.

Are they scanning all ports, or a subset, or just one?

~~~
jnbiche
Just one in the 45 minutes quoted. It's still impressive.

------
sirsar
There's no timezone on the Time of Day chart. Any good guesses?

~~~
goodcanadian
Eastern time. From the article:

 _In any event, the best time to scan the Internet, at least from Michigan,
seems to be early in the morning._

------
fla
internet != the web

~~~
trstowell
What's the distinction in this context?

~~~
fla
The article's title is misleading. It speaks about the web mostly, not the
internet (wich you can't scan in an hour btw).

~~~
guard-of-terra
You can. You can send an IP packed to every host in the internet and hopefully
recieve a reply. That us the internet scanning.

~~~
gargoiler00
I think he meant scanning all ports, UDP+TCP+ICMP etc etc

~~~
guard-of-terra
That's meaningless. That's like claiming you didn't really visit a country
until you looked under every trash can.

~~~
D9u
There's more to the internet than just port 80, so to declare that a scan
encompassing only a single port on each host is a scan of "the entire
internet" is somewhat mistaken.

The more correct title would be, "a scan of the entire World Wide Web."

~~~
gargoiler00
Even that's not correct though. Port 80 is just the _default_ port. Not to
mention the number of web servers only doing HTTPS on port 443 and not 80.

More correct would be "A scan of world wide web servers running on the default
port 80"

~~~
D9u
[https://zmap.io/paper.pdf](https://zmap.io/paper.pdf) From page 14, Section
8, titled, "Conclusion"

 _" We experimentally showed that ZMap is capable of scanning the public IPv4
address space on a single port in under 45 minutes, at 97% of the theoretical
maximum speed for gigabit Ethernet and with an estimated 98% coverage of
publicly available hosts."_

