安全是有分量的

ddos盾_服务器防御价格_解决方案

2022-01-12 07:20栏目:高防

ddos盾_服务器防御价格_解决方案

Scanning of services and ports on the Internet has been an area of focus of the Applied Research Team at Kudelski Security for the last few years. This article gives a brief introduction to our previous work and an insight on the current state of the Internet by showcasing interesting findings on certain protocols.

Background

There are two types of scanning: port scanning and fingerprinting. Port scanning refers to the technique of sending a packet to an IP address with a specific destination port number to test if the port is opened, closed, or filtered. An open port might mean that an application is using it. To gain more information, a fingerprinting scan is then performed on this specific port. Depending on the application, information such as software version, distributor, commands accepted, or security protocols can be gathered. However, knowledge of the application is necessary to craft appropriate packets.

As you can imagine, scanning the 2^32 ~ 4.3 billion IP addresses requires adequate software and infrastructure. For this purpose, many tools were developed internally and open-source solutions such as Apache Hadoop, HDFS, Hive, and Spark were configured on a powerful cluster.

7Port scanning was performed using one of the most popular scanning tools: zmap. According to the authors and our internal tests, it is capable of scanning the full IPv4 range in less than 45 minutes using a gigabit connection.

However, fingerprinting involves sending multiple packets depending on the application and the transport layer it is using. This increase in complexity led us to develop scannerl, a distributed fingerprinting engine which was open-sourced last year on our Github page. An introduction to scannerl can be found in a previous blog post. Scannerl’s modularity allows us to quickly develop modules in order to fingerprint specific protocols. Multiple articles were written, for example, this post gives a walk-through on the implementation of a module to fingerprint MySQL and get its version.

A previous article published in October 2017 describes the results of scanning Industrial Control Systems (ICS) protocols such as BACnet, Modbus, or MQTT and can be found here. The results concerned six months between February and August 2017 on five ICS protocols. Since then, scanning continued and more and more protocols were included each month.

Before we start providing results, we want to make a few points.

Scanning at the Internet scale is hard:

It requires a lot of bandwidth, processing power, and storage capabilities. A scan might contain incomplete results because a scannerl slave crashed due to resource exhaustion for example. Scanning involves dozens of virtual machines on shared infrastructure which are created and destroyed on-the-fly. Fingerprinting requires sending multiple packets, each which can get lost, time out, etc. to millions of hosts.

Results might not be accurate for the following reasons:

Hosts might not answer because they might be temporarily down. IP owners might have blacklisted us. As we honor our blacklist, certain networks have not been scanned. To be precise, 6’861’752 IP addresses are not scanned as their owners asked us not to.

Therefore, other sources such as shodan.io or censys.io might provide different results.

Results

As of the writing of this blog post, we are performing many different scans. Recall that a fingerprinting scan implies performing a port scan previously. Therefore, most of those scans are performed on the same port and transport layer protocol twice, one for each type of scan. This is not the case for the ICMP Ping scan which simply sends an echo request and expects an echo reply in return as it operates on the network layer.

The first analysis performed here relates to ICMP Ping. This scan has the most chance of receiving an answer from hosts directly connected on the Internet as it is a widely available tool for network debugging.

We ran this scan monthly since March 2017 and the last scan was executed on the 16th of July. At this date, we saw over 344 million IP addresses answering to our echo request. However, on average since we started, 365 million hosts are responding to ping. Using MaxMind’s GeoIP database, we enrich the IP addresses from our scan with geographical information such as longitude, latitude, country name, city name, or ASN (Autonomous System Number).

On Figure 1, we see the five countries with the most IP addresses and Switzerland and their evolution over time.

Fig. 1 Evolution of the top 5 countries + CH with the most ICMP Ping scan results

As can be expected, the country with the most hosts is the USA with 82.4 million IP on average. Except the drop in May and June 2018, the results are quite constant. We investigated the drop and it seems to affect most of the countries and ASNs with the most results which may indicate issues on our side during those scans.