zmap
play

ZMap and its Security Applications Zakir Durumeric Eric Wustrow - PowerPoint PPT Presentation

Feb 05, 2023 •318 likes •655 views

Fast Internet-Wide Scanning ZMap and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University of Michigan ZMap: Fast Internet-Wide Scanning and its Security Applications Internet-Wide Network Studies Previous

  1. Fast Internet-Wide Scanning ZMap and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University of Michigan ZMap: Fast Internet-Wide Scanning and its Security Applications

  2. Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining Ps and Qs: Widespread weak keys in network devices (2012) EFF SSL Observatory: A glimpse at the CA ecosystem (2010) Census and Survey of the Visible Internet (2008) ZMap: Fast Internet-Wide Scanning and its Security Applications

  3. Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining Ps and Qs: Widespread weak keys in network devices (2012) 25 hours acoss 25 Amazon EC2 Instances (625 CPU-hours) EFF SSL Observatory: A glimpse at the CA ecosystem (2010) 3 months on 3 Linux desktop machines (6500 CPU-hours) Census and Survey of the Visible Internet (2008) 3 months to complete ICMP census (2200 CPU-hours) ZMap: Fast Internet-Wide Scanning and its Security Applications

  4. ZMap: Fast Internet-Wide Scanning and its Security Applications

  5. ZMap: Fast Internet-Wide Scanning and its Security Applications

  6. What if…? What if Internet surveys didn’t require heroic effort? What if we could scan the HTTPS ecosystem every day? What if we wrote a whole-Internet scanner from scratch? ZMap: Fast Internet-Wide Scanning and its Security Applications

  7. Introducing ZMap an open-source tool that can port scan the entire IPv4 address space from just one machine in under 45 minutes with 98% coverage With Zmap, an Internet-wide TCP SYN scan on port 443 is as easy as: $ zmap –p 443 –o results.txt 34,132,693 listening hosts 97% of gigabit (took 44m12s) Ethernet linespeed ZMap: Fast Internet-Wide Scanning and its Security Applications

  8. Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship ZMap: Fast Internet-Wide Scanning and its Security Applications

  9. ZMap Architecture Existing Network Scanners ZMap Reduce state by scanning in batches Eliminate local per-connection state - Time lost due to blocking - Fully asynchronous components - Results lost due to timeouts - No blocking except for network Track individual hosts and retransmit Shotgun Scanning Approach - Most hosts will not respond - Always send n probes per host Avoid flooding through timing Scan widely dispersed targets - Time lost waiting - Send as fast as network allows Utilize existing OS network stack Probe-optimized Network Stack - Not optimized for immense - Bypass inefficiencies by number of connections generating Ethernet frames ZMap: Fast Internet-Wide Scanning and its Security Applications

  10. Addressing Probes How do we randomly scan addresses without excessive state? 1. Scan hosts according to random permutation 2. Iterate over multiplicative group of integers modulo p 5  5 mod 7 = 4 5 4 Negligible State 4  5 mod 7 = 6 1  5 mod 7 = 5 1. Primitive Root 6 1 2. Current Location 3. First Address 3  5 mod 7 = 1 6  5 mod 7 = 2 3 2 2  5 mod 7 = 3 ZMap: Fast Internet-Wide Scanning and its Security Applications

  11. Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses receiver sender Ethernet length data MAC address MAC address sender receiver IP V IHL … data IP address IP address sender receiver sequence ack. TCP … data port port number number ZMap: Fast Internet-Wide Scanning and its Security Applications

  12. Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses receiver sender Ethernet length data MAC address MAC address sender receiver IP V IHL … data IP address IP address sender receiver sequence ack. TCP … data port port number number ZMap: Fast Internet-Wide Scanning and its Security Applications

  13. Validating Responses How do we validate responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses receiver sender Ethernet length data MAC address MAC address sender receiver IP V IHL … data IP address IP address sender receiver sequence ack. TCP … data port port number number ZMap: Fast Internet-Wide Scanning and its Security Applications

  14. Packet Transmission and Receipt How do we make processing probes easy and fast? 1. ZMap framework handles the hard work 2 . Probe modules fill in packet details, interpret responses 3. Output modules allow follow-up or further processing Configuration, Probe Packet Tx Addressing, Generation (raw socket) and Timing Output Response Packet Rx Handler Interpretation (libpcap) ZMap: Fast Internet-Wide Scanning and its Security Applications

  15. Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship ZMap: Fast Internet-Wide Scanning and its Security Applications

  16. Scan Rate How fast is too fast? No correlation between hit-rate and scan-rate. Slower scanning does not reveal additional hosts. ZMap: Fast Internet-Wide Scanning and its Security Applications

  17. Coverage Is one probe packet sufficient? We expect an eventual plateau in responsive hosts, regardless of additional probes. Scan Coverage Estimated 1 Packet: 97.9% Ground Truth 2 Packets: 98.8% 3 Packets: 99.4% ZMap: Fast Internet-Wide Scanning and its Security Applications

  18. Comparison with Nmap Averages for scanning 1 million random hosts Normalized Duration Est. Internet Coverage (mm:ss) Wide Scan Nmap (1 probe) 81.4% 24:12 62.5 days Nmap (2 probes) 97.8% 45:03 116.3 days ZMap (1 probe) 98.7% 00:10 1:09:35 ZMap (2 probes) 100.0% 00:11 2:12:35 ZMap is capable of scanning more than 1300 times faster than the most aggressive Nmap default configuration (“insane”) Surprisingly, ZMap also finds more results than Nmap ZMap: Fast Internet-Wide Scanning and its Security Applications

  19. Probe Response Times Why does ZMap find more hosts than Nmap? Response Times 500 ms 250 ms: < 85% timeout 500 ms: 98.2% 250 ms timeout 1.0 s: 99.0% 8.2 s: 99.9% Statelessness leads to both higher performance and increased coverage. ZMap: Fast Internet-Wide Scanning and its Security Applications

  20. Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship ZMap: Fast Internet-Wide Scanning and its Security Applications

  21. Visibility into Distributed Systems Gaining near real-time perspective into the CA ecosystem ZMap enables us to scan the public HTTPS Ecosystem every day libevent2 ZMap Custom SYN Scan Processing OpenSSL Completed 110 scans of the HTTPS ecosystem in the last year We collected more than 42 million unique certificates of which 6.9 million were browser trusted . Identified 2 sets of misissued CA certificates. ZMap: Fast Internet-Wide Scanning and its Security Applications

  22. Tracking Protocol Adoption Examining the growth in global HTTPS adoption June 2012–May 2013 10%  HTTPS servers. 23%  Use on Alexa Top-1M sites. 11%  Browser-trusted certificates. ZMap: Fast Internet-Wide Scanning and its Security Applications

  23. Enumerating Vulnerable Hosts Discovering UPnP Vulnerabilities En Masse HD Moore disclosed vulnerabilities in several common UPnP frameworks in January 2013. Under 6 hours to code and run UPnP discovery scan. Custom probe module, 150 SLOC. We found that 3.34 M of 15.7 M devices were vulnerable. Compromise possible with a single UDP packet! ZMap: Fast Internet-Wide Scanning and its Security Applications

  24. Uncovering Hidden Services Enumerating Unadvertised Tor Bridges Scanning has potential to uncover unadvertised services We perform a Tor handshake with public IPv4 addresses on port 9001 and 443 We identified 86% of live allocated bridges with a single scan Tor has developed obfsproxy that listens on random ports to count this type of attack ZMap: Fast Internet-Wide Scanning and its Security Applications

  25. Further ZMap Potential Further Potential Applications Detect Service Disruptions Track Adoption of Defenses Study Criminal Behavior Other Security Implications Anonymous Communication Track users between IP leases Snapshot of HTTPS outages caused by Hurricane Sandy ZMap: Fast Internet-Wide Scanning and its Security Applications

  26. Talk Roadmap 1. Philosophy and Architecture of ZMap 2. Characterizing ZMap's Performance 3. Applications of High Speed Scanning 4. Scanning and Good Internet Citizenship ZMap: Fast Internet-Wide Scanning and its Security Applications

  27. Ethics of Active Scanning Considerations Impossible to request permission from all owners No IP-level equivalent to robots exclusion standard Administrators may believe that they are under attack Reducing Scan Impact Scan in random order to avoid overwhelming networks Signal benign nature over HTTP and w/ DNS hostnames Honor all requests to be excluded from future scans ZMap: Fast Internet-Wide Scanning and its Security Applications

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Censys Retrospective Zakir Durumeric Censys Timeline 2013 ZMap Internet Scanner Release

Censys Retrospective Zakir Durumeric Censys Timeline 2013 ZMap Internet Scanner Release

Censys Retrospective Zakir Durumeric Censys Timeline 2013 ZMap Internet Scanner Release We release ZMap, an open source network scanner capable of scanning IPv4 on one port in 45 minutes. Internet-Wide Scan Data Repository 2014 We

409 views • 10 slides
Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Fast Internet-Wide Scanning, ZMap Weak Keys and the HTTPS Certificate Ecosystem Zakir Durumeric Michael Bailey University of Michigan ZMap: Fast Internet-Wide Scanning, Weak Keys, and the HTTPS Certificate Ecosystem Zakir Durumeric

491 views • 46 slides
Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware

Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware

Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware Domains at the Upper DNS Hierarchy -M.Antonakakis et. al 2. ZMap: Fast Internet-wide Scanning and Its Security Applications -Z. Durumeric et. al 2

1.17k views • 89 slides
Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, Vern Paxson Background IPv4 scanning - Zmap . 2 Background 2 128 addresses =&gt; 10 30 years to scan 32 nybbles (hex

518 views • 28 slides
Scanning 35mm Slides Saving the images before they fade away forever! What are 35mm Slides?

Scanning 35mm Slides Saving the images before they fade away forever! What are 35mm Slides?

Scanning 35mm Slides Saving the images before they fade away forever! What are 35mm Slides? Small pieces of 1.375 x .875 inches of film Not negative but positive Encased in a 2 inch piece of plastic or cardboard Used

624 views • 26 slides
Scanning for patterns (aka convolutional networks) Bhiksha Raj 1 Story so far MLPs are

Scanning for patterns (aka convolutional networks) Bhiksha Raj 1 Story so far MLPs are

Deep Neural Networks Scanning for patterns (aka convolutional networks) Bhiksha Raj 1 Story so far MLPs are universal function approximators Boolean functions, classifiers, and regressions MLPs can be trained through variations of

2.04k views • 181 slides
Theron Ji Eric Kim Raji Srikantan Alan Tsai Arel Cordero David Wagner UC Berkeley

Theron Ji Eric Kim Raji Srikantan Alan Tsai Arel Cordero David Wagner UC Berkeley

Theron Ji Eric Kim Raji Srikantan Alan Tsai Arel Cordero David Wagner UC Berkeley Widely used in todays elections Voters indicate choices by marking voting targets Scanner tabulates votes by detecting marks

442 views • 32 slides
Scanning 35mm Slides This workstation includes a large-format scanner; it can be used to scan

Scanning 35mm Slides This workstation includes a large-format scanner; it can be used to scan

Scanning 35mm Slides https://courses.ucsf.edu/pluginfile.php/135941/mod_resource/co... Scanning 35mm Slides This workstation includes a large-format scanner; it can be used to scan reflective documents (e.g. photographs, large printed works) as

239 views • 5 slides
Parallel Scanning Marc Moreno Maza University of Western Ontario, London, Ontario (Canada)

Parallel Scanning Marc Moreno Maza University of Western Ontario, London, Ontario (Canada)

Parallel Scanning Marc Moreno Maza University of Western Ontario, London, Ontario (Canada) CS2101 Plan 1 Problem Statement and Applications 2 Algorithms 3 Applications 4 Implementation in Julia Problem Statement and Applications Plan 1 Problem

489 views • 32 slides
Self-Driving Database Management System In-Memory Autonomous Open-Source Rewrote storage +

Self-Driving Database Management System In-Memory Autonomous Open-Source Rewrote storage +

Self-Driving Database Management System In-Memory Autonomous Open-Source Rewrote storage + query execution. 2015 Kept Postgres frontend. Replaced Postgres frontend. 2016 Cobbled together replacements. Rewriting Postgres replacements.

121 views • 11 slides
Lotus Domino: Penetra0on Through the Controller Alexey Sintsov

Lotus Domino: Penetra0on Through the Controller Alexey Sintsov

Invest in security to secure investments Lotus Domino: Penetra0on Through the Controller Alexey Sintsov #whoami Pen-tester at ERPscan Company Job

691 views • 44 slides
4.1 3D Scanning Hao Li http://cs599.hao-li.com 1 Administrative Exercise 2: this

4.1 3D Scanning Hao Li http://cs599.hao-li.com 1 Administrative Exercise 2: this

Spring 2014 CSCI 599: Digital Geometry Processing 4.1 3D Scanning Hao Li http://cs599.hao-li.com 1 Administrative Exercise 2: this thursday after surface registration My first office hours later from 2pm to 4pm 2 2D Imaging

857 views • 72 slides
AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research

AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research

AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research Institute) Joint with Aziz Mohaisen (VeriSign Labs) Overview Introduction to problem Evaluation metrics Dataset gathering and use

651 views • 22 slides
PARALLEL PATTERNS REDUCE &amp; SCAN 2 6/16/2010 Parallel

PARALLEL PATTERNS REDUCE &amp; SCAN 2 6/16/2010 Parallel

1 6/16/2010 Parallel Pa7erns - Reduce &amp; Scan PARALLEL PATTERNS REDUCE &amp; SCAN 2 6/16/2010 Parallel Pa7erns - Reduce &amp; Scan

665 views • 34 slides
File class in Java Programmers refer to input/output as &quot;I/O&quot;. Input is received

File class in Java Programmers refer to input/output as &quot;I/O&quot;. Input is received

File class in Java Programmers refer to input/output as &quot;I/O&quot;. Input is received from the keyboard, mouse, files. output is sent to the console, monitor, files, File Input and Output The File class represents files as

204 views • 8 slides
Objectives Fault modeling and simulation Test generation

Objectives Fault modeling and simulation Test generation

Objectives Fault modeling and simulation Test generation Automatic-test-pattern-generation Built-in-self-test BIST architecture Scan and boundary scan Scan chains Digital scan standard Digital system

617 views • 37 slides
Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey , Matthew Bernhard , Elie Bursztein Jaime Cochran , Zakir Durumeric , J. Alex Halderman , Luca Invernizzi Michalis Kallitsis ,

709 views • 35 slides
Prefix sums on GPUs Motivating Problem Definitions Other Applications Parallel Algorithms

Prefix sums on GPUs Motivating Problem Definitions Other Applications Parallel Algorithms

Prefix sums on GPUs Bruce Merry Definition and Applications Prefix sums on GPUs Motivating Problem Definitions Other Applications Parallel Algorithms Bruce Merry Kogge-Stone Brent-Kung GPU Strategies Department of Computer Science,

1.13k views • 88 slides
Feasibility of Periodic Scan Schedules Ants PI Meeting, Seattle, May 2000 Bruno Dutertre System

Feasibility of Periodic Scan Schedules Ants PI Meeting, Seattle, May 2000 Bruno Dutertre System

SRI System Design Laboratory Feasibility of Periodic Scan Schedules Ants PI Meeting, Seattle, May 2000 Bruno Dutertre System Design Laboratory SRI International e-mail: bruno@sdl.sri.com 1 SRI System Design Laboratory Scan Scheduling Scan

267 views • 11 slides
BitWeaving: Fast Scans for Main Memory Data Processing Yinan Li and Jignesh M. Patel University

BitWeaving: Fast Scans for Main Memory Data Processing Yinan Li and Jignesh M. Patel University

BitWeaving: Fast Scans for Main Memory Data Processing Yinan Li and Jignesh M. Patel University of Wisconsin-Madison Motivation - Example TPC-H Query 6 SELECT SUM(l_extendedprice * l_discount) FROM lineitem WHERE l_shipdate BETWEEN Date

861 views • 82 slides
District Plans to Address Educational Equity: Findings from Worlds Best Workforce Summary Scan

District Plans to Address Educational Equity: Findings from Worlds Best Workforce Summary Scan

District Plans to Address Educational Equity: Findings from Worlds Best Workforce Summary Scan Minnesota Department of Education 5/17/2019 MDE introduction and context Agenda 1. Welcome and introductions 2. Overview of REL Midwest 3.

1.03k views • 68 slides
Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies with 1000+ web applications running Move to m -services architectures making things worse Huge shortage of skilled security engineers to

732 views • 48 slides
Domestic Scan 17-01 Successful Approaches for the Use of Unmanned Aerial Systems (UAS) by

Domestic Scan 17-01 Successful Approaches for the Use of Unmanned Aerial Systems (UAS) by

NCH NCHRP 2 P 20-68A 68A US Do Domes estic S Scan P Program Domestic Scan 17-01 Successful Approaches for the Use of Unmanned Aerial Systems (UAS) by Surface Transportation Agencies Findings, Conclusions and Recommendations

315 views • 17 slides
Spiral scanning of keV electrons: applications in picosecond photon sensors A. Margaryan, R.

Spiral scanning of keV electrons: applications in picosecond photon sensors A. Margaryan, R.

Spiral scanning of keV electrons: applications in picosecond photon sensors A. Margaryan, R. Ajvazyan, H. Elbakyan, L. Gevorgian, V. Kakoyan Yerevan Physics Institute, Armenia J. Annand Department of Physics and Astronomy, University of

475 views • 21 slides

More recommend