internet wide scanning and its measurement applications
play

Internet-Wide Scanning and its Measurement Applications Zakir - PowerPoint PPT Presentation

Mar 19, 2023 •622 likes •865 views

Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of Michigan RIPE 68 - Measurement, Analysis and Tools Working Group 15 May 2014 Golden Age of Internet Scanning As of the last year, it is now possible to scan

  1. Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of Michigan RIPE 68 - Measurement, Analysis and Tools Working Group 15 May 2014

  2. Golden Age of Internet Scanning As of the last year, it is now possible to scan the entire IPv4 address space in minutes thanks to ZMap and Masscan Measurement Golden Age: full IPv4 scanning available and IPv6 not widely deployed --- most services still available on IPv4 What can we learn using this global perspective? What can we do to help network operators? ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  3. ZMap: The Internet Scanner an open-source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage $ ¡sudo ¡apt-­‑get ¡install ¡zmap ¡ ¡ $ ¡zmap ¡–p ¡443 ¡–o ¡results.csv ¡ 34,132,693 ¡listening ¡hosts ¡ 97% of gigabit (took ¡44m12s) ¡ Ethernet linespeed ¡ ZMap: Fast Internet-Wide Scanning and its Security Applications (https://zmap.io) Zakir Durumeric, Eric Wustrow, and J. Alex Halderman | 22nd USENIX Security Symposium. ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  4. Ethics of Active Scanning Considerations Impossible to request permission from all owners No IP-level equivalent to robots exclusion standard Administrators may believe that they are under attack Reducing Scan Impact Scan in random order to avoid overwhelming networks Signal benign nature over HTTP and w/ DNS hostnames Honor all requests to be excluded from future scans ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  5. Measurement Case Studies What can we learn using Internet-wide Internet scanning? 1. Widespread Weak Cryptographic Keys 2. Analysis of HTTPS Certificate Ecosystem 3. The Matter of Heartbleed ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  6. Mining Your Ps and Qs Detection of Widespread Weak Keys in Network Devices Nadia Heninger, Zakir Durumeric, Eric Wustrow, J. Alex Halderman Proceedings of the 21st USENIX Security Symposium, August 2012 RIPE 68 - Measurement, Analysis and Tools Working Group 15 May 2014

  7. Public Keys on the Internet Uncovering weak cryptographic keys and poor entropy collection We considered the cryptographic keys used by HTTPS and SSH HTTPS SSH Live Hosts 12,8 million 10,2 million Distinct RSA Public Keys 5,6 million 3,8 million Distinct DSA Public Keys 6.241 2,8 million There are many legitimate reason that hosts might share keys Hosting providers, large companies (e.g. Google) ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  8. Shared Cryptographic Keys Why are a large number of hosts sharing cryptographic keys? We find that 5.6% of TLS hosts and 9.6% of SSH hosts share keys in a vulnerable manner - Default certificates and keys - Apparent entropy problems What other, more serious, problems could be present if devices aren’t properly collecting entropy? ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  9. Factoring RSA Public Keys What else could go wrong if devices aren’t collecting entropy? RSA Public Key: n = p Ÿ q , p and q are two large random primes Most efficient known method of compromising an RSA key is to factor n back to p and q While n is difficult to factor, for N 1 = p Ÿ q 1 and N 2 = p Ÿ q 2 we can trivially compute p = GCD(N 1 , N 2 ) ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  10. Broken Cryptographic Keys Why are a large number of hosts sharing cryptographic keys? We find 2,134 distinct primes and compute the RSA private keys for 64,081 (0.50%) of TLS hosts Using a similar approach for DSA, we are able to compute the private keys for 105,728 (1.03%) of SSH hosts Compromised keys are generated by headless or embedded network devices Identified devices from > 40 manufacturers ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  11. Linux /dev/urandom ¡ Why are embedded systems generating broken keys? Nearly everything uses /dev/urandom Time of boot Keyboard /Mouse Input Pool Disk Access Timing Only happens if Input Pool contains more than 192 bits … Non-blocking Time of boot /dev/urandom ¡ Pool Problem 1: Embedded devices Problem 2: /dev/urandom can may lack all these sources take a long time to “warm up” ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  12. Typical Ubuntu Server Boot Why are embedded systems generating broken keys? Entropy first mixed into /dev/urandom Boot-Time Entropy Hole OpenSSH seeds /dev/urandom may be predictable from /dev/ for a period after boot. urandom ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  13. Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J. Alex Halderman Proceedings of the 13th Internet Measurement Conference ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  14. Rampant Certificate Authorities Daily scans found 88 million total certificates, 9.4 million browser trusted certificates over the last two years Identified 1,800 CA certificates 1 belonging to 683 organizations 0.9 0.8 All major roots are selling 0.7 Signed Certificates 0.6 intermediates to organizations 0.5 without any constraints 0.4 0.3 0.2 26% of sites are signed by Certificate Authorities 0.1 Root Certificates a single certificate! Intermediate Certificates 0 0 5 10 15 20 25 30 35 40 45 50 n most popular ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  15. Ignoring Foundational Principles What are authorities doing that puts the ecosystem at risk? We classically teach concepts such as defense in depth and the principle of least privilege We have methods of constraining what CAs can sign for, yet all but 7 of the 1,800 CA certs we found can sign for anything Lack of constraints allowed a rogue CA certificate in 2012, but in another case prevented 1,400 invalid certificates Almost 5% of certificates include local domains, e.g. localhost, mail, exchange ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  16. Cryptographic Reality What are authorities doing that puts the ecosystem at risk? 1 0.9 90% of certificates use a 0.8 2048 or 4096-bit RSA key Certificate Authorities 0.7 0.6 50% of certificates are 0.5 rooted in a 1024-bit key 0.4 More than 70% of these 0.3 roots will expire after 2016 0.2 0.1 NIST recommended end of 1024-bit key usage 0 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 Years until Expiration ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  17. Scans.IO Data Repository How do we share all this scan data? ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  18. The Matter of Heartbleed Zakir Durumeric, James Kasten, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Bernhard Amann, Jethro Beekman, Mathias Payer, Vern Paxson ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  19. Preventing the Spread of Misinformation https://zmap.io/heartbleed ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  20. Patching Observations 11% of servers remained 12 Alexa Top 1 Million Domains vulnerable after 48 hours 10 Public IPv4 Address Space Percentage of HTTPS Hosts 8 Patching plateaued at 4% 6 Only 10% of sites vulnerable 4 in our first scan replaced 2 0 their TLS certificates 0 0 0 0 0 0 0 0 0 0 0 4 4 4 4 4 4 4 4 4 4 4 / / / / / / / / / / / 0 0 1 1 1 1 1 2 2 2 2 7 9 1 3 5 7 9 1 3 5 7 15% of sites that replaced Heartbleed Vulnerable Hosts Date certificates used vulnerable cryptographic keys ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  21. Vulnerability Notifications We notified remaining ��� ��������������������������������� vulnerable organizations ������������������������������ �� �������������������������� after 2 weeks �� Statistically significant �� impact on patching �� �� Out of 59 human ����� ����� ����� ����� ����� ����� ����� ����� ����� ����� ������������� responses: 51 positive, 3 Impact of Notification neutral, 2 negative ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

  22. Conclusion Living in a unique period IPv4 can be quickly, exhaustively scanned IPv6 has not yet been widely deployed ZMap lowers barriers of entry for Internet-wide surveys Now possible to scan the entire IPv4 address space from one host in under 45 minutes with 98% coverage Explored three applications of high-speed scanning Ultimately hope that ZMap enables future research ZMap: Fast Internet-Wide Scanning and its Measurement Applications Zakir Durumeric

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning Vulnerability Mitigation with Internet wide Scanning J. Alex Halderman Mining Your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir

640 views • 53 slides
ZMap and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University

ZMap and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University

Fast Internet-Wide Scanning ZMap and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University of Michigan ZMap: Fast Internet-Wide Scanning and its Security Applications Internet-Wide Network Studies Previous

655 views • 32 slides
Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Fast Internet-Wide Scanning, ZMap Weak Keys and the HTTPS Certificate Ecosystem Zakir Durumeric Michael Bailey University of Michigan ZMap: Fast Internet-Wide Scanning, Weak Keys, and the HTTPS Certificate Ecosystem Zakir Durumeric

491 views • 46 slides
Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, Vern Paxson Background IPv4 scanning - Zmap . 2 Background 2 128 addresses => 10 30 years to scan 32 nybbles (hex

518 views • 28 slides
Uncovering Cryptographic Failures with Internet-Wide Measurement Zakir Durumeric University

Uncovering Cryptographic Failures with Internet-Wide Measurement Zakir Durumeric University

Uncovering Cryptographic Failures with Internet-Wide Measurement Zakir Durumeric University of Michigan Who am I? My research focuses on measurement-driven security. Developing tools for researchers to better measure the

632 views • 49 slides
Internet measurement and the impact of big data Kenjiro Cho (IIJ/WIDE) Big Data everywhere

Internet measurement and the impact of big data Kenjiro Cho (IIJ/WIDE) Big Data everywhere

Internet measurement and the impact of big data Kenjiro Cho (IIJ/WIDE) Big Data everywhere Google's Chief Economist Hal Varian on Statistics The McKinsey Quarterly, January 2009 I keep saying the sexy job in the next ten years will be

260 views • 7 slides
Measurement Research to the Web Calamity's Rescue Gregory BLANC Internet Engineering Laboratory

Measurement Research to the Web Calamity's Rescue Gregory BLANC Internet Engineering Laboratory

Measurement Research to the Web Calamity's Rescue Gregory BLANC Internet Engineering Laboratory Nara Institute of Science Technology WIDE member 3rd CAIDA-WIDE-CASFI Measurement Workshop April 24-25, 2010, Osaka Sunday, April 25, 2010 What

417 views • 25 slides
Scanning (and some other no-tech hacking) Todays Class Scanning the Internet for research

Scanning (and some other no-tech hacking) Todays Class Scanning the Internet for research

Scanning (and some other no-tech hacking) Todays Class Scanning the Internet for research Scanning the Internet for research Other no-tech hacking Definitions: domain name: google.com unm.edu a registrable

542 views • 19 slides
solid inventory measurement Industrialised 3D surface scanning ALLISON Eng inventory measurement

solid inventory measurement Industrialised 3D surface scanning ALLISON Eng inventory measurement

ALLISON Eng inventory measurement Advances in bulk solid inventory measurement Industrialised 3D surface scanning ALLISON Eng inventory measurement 1. Allison Background 2. The Market 3. The Problem 4. Current Measurement Methods 5. New

527 views • 29 slides
An Internet measurement platform for the e-learning community Olivier.Fourmaux@upmc.fr

An Internet measurement platform for the e-learning community Olivier.Fourmaux@upmc.fr

An Internet measurement platform for the e-learning community Olivier.Fourmaux@upmc.fr Timur.Friedman@upmc.fr European research initiative Promotion of wide-scale federations testbed and experimentation facilities for Internet and network-

245 views • 22 slides
Measurement Activities at WIDE Kenjiro Cho IIJ/WIDE Project November 23 2009 WIDE Project

Measurement Activities at WIDE Kenjiro Cho IIJ/WIDE Project November 23 2009 WIDE Project

Measurement Activities at WIDE Kenjiro Cho IIJ/WIDE Project November 23 2009 WIDE Project WIDE: Widely Integrated Distributed Environment a research consortium in Japan since 1988 about 100 sponsor companies 40 universities 200

664 views • 28 slides
Wide-Area Internet Measurement at MIT: Data Collection and Analysis Nick Feamster, Dave Andersen,

Wide-Area Internet Measurement at MIT: Data Collection and Analysis Nick Feamster, Dave Andersen,

Wide-Area Internet Measurement at MIT: Data Collection and Analysis Nick Feamster, Dave Andersen, Hari Balakrishnan M.I.T. Laboratory for Computer Science {feamster,dga,hari}@lcs.mit.edu Collection: Infrastructure and Data Topology: 31 widely

284 views • 15 slides
Traffic Measurement Activities of the WIDE project Kenjiro Cho IIJ Research Lab traffic

Traffic Measurement Activities of the WIDE project Kenjiro Cho IIJ Research Lab traffic

Traffic Measurement Activities of the WIDE project Kenjiro Cho IIJ Research Lab traffic measurement and analysis in WIDE measurement activities across research groups broad perspectives - tracking long-term trends - analysis (with wide

415 views • 12 slides
Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement

Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement

Internet Atlas: A Geographical Database of the Physical Internet Active Internet Measurement Systems Workshop (AIMS) February 6-8, 2013 Ram Durairajan Computer Sciences University of Wisconsin Motivation rkrish@cs.wisc.edu 2

505 views • 33 slides
4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and

4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and

4. The Internet and the World Wide Web 4.1 History of the Internet 4.2 The World Wide Web and the Browser 4.3 What Browsers Can Do for Us 4.4 What is a Website? 4.5 Website Design 4.6 Other Creatures on the Web 4.7 Key Web Software

1.02k views • 97 slides
Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh |

Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh |

Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh | Shinyoung Cho | Phillipa Gill Stony Brook University 1 Anonymity on the Internet Tor Network 2 Anonymity on the Internet Does not know the source

261 views • 15 slides
4. Searching the Web. Pagerank October 17, 2019 Slides by Marta Arias, Jos Luis Balczar,

4. Searching the Web. Pagerank October 17, 2019 Slides by Marta Arias, Jos Luis Balczar,

CAI: Cerca i Anlisi dInformaci Grau en Cincia i Enginyeria de Dades, UPC 4. Searching the Web. Pagerank October 17, 2019 Slides by Marta Arias, Jos Luis Balczar, Ramon Ferrer-i-Cancho, Ricard Gavald, Department of Computer

687 views • 43 slides
Content from the Web Other Cool Stuff Query processing Servers + Crawlers Content Analysis

Content from the Web Other Cool Stuff Query processing Servers + Crawlers Content Analysis

Class Overview Content from the Web Other Cool Stuff Query processing Servers + Crawlers Content Analysis Indexing Crawling Document Layer Network Layer A Closeup View Today 10/13 - Crawlers Search Engine Overview 10/15 DL

361 views • 11 slides
My Research CMSC 691 Spring 2016 2 Artificia Ar ificial l in intellig elligen ence ce

My Research CMSC 691 Spring 2016 2 Artificia Ar ificial l in intellig elligen ence ce

2/1/16 My Research CMSC 691 Spring 2016 2 Artificia Ar ificial l in intellig elligen ence ce How w to o get et comp computer ers s to o beh ehave e in intellig elligen ently? y? Rob obot otics ics Na

516 views • 5 slides
COMP 150: Probabilistic Robotics for Human-Robot Interaction Instructor: Jivko Sinapov

COMP 150: Probabilistic Robotics for Human-Robot Interaction Instructor: Jivko Sinapov

COMP 150: Probabilistic Robotics for Human-Robot Interaction Instructor: Jivko Sinapov www.cs.tufts.edu/~jsinapov Language Acquisition How would you describe this object? It is a small orange spray can My model of the word orange

897 views • 85 slides
FRI I C++ Primer Instructor: Justin Hart http://justinhart.net/teaching/2020_spring_cs309/

FRI I C++ Primer Instructor: Justin Hart http://justinhart.net/teaching/2020_spring_cs309/

CS 309: Autonomous Robots FRI I C++ Primer Instructor: Justin Hart http://justinhart.net/teaching/2020_spring_cs309/ Hello World! Exercises ex01 ex02 Code Objectives #include main() printf std::cout Compiling g++ make Hello World!

744 views • 37 slides
Marktoberdorf NATO Summer School 2016, Lecture 5 Assurance in the Internet of Things And for

Marktoberdorf NATO Summer School 2016, Lecture 5 Assurance in the Internet of Things And for

Marktoberdorf NATO Summer School 2016, Lecture 5 Assurance in the Internet of Things And for Automated Driving John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA Marktoberdorf 2016, Lecture 5 John Rushby,

511 views • 34 slides
Internet Engineering: Search Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu

Internet Engineering: Search Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu

Internet Engineering: Search Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu Spring 2007 Statistics In 1994, one of the first web search engines, the World Wide Web Worm (WWWW), had an index of 110,000 web pages and web

541 views • 40 slides
Machine Learning 2007: Slides 1 Instructor: Tim van Erven (Tim.van.Erven@cwi.nl) Website:

Machine Learning 2007: Slides 1 Instructor: Tim van Erven (Tim.van.Erven@cwi.nl) Website:

Machine Learning 2007: Slides 1 Instructor: Tim van Erven (Tim.van.Erven@cwi.nl) Website: www.cwi.nl/erven/teaching/0708/ml/ September 6, 2007 1 / 43 Overview Course Organisation Course Organisation Tentative Course Tentative Course

1.13k views • 64 slides

More recommend