ZMap: Fast Internet-wide Scanning and Its Security Applications

Internet-wide network scanning has numerous security applications, including exposing new vulnerabilities and tracking the adoption of defensive mechanisms, but probing the entire public address space with existing tools is both difficult and slow. We introduce ZMap, a modular, open-source network scanner specifically architected to perform Internet-wide scans and capable of surveying the entire IPv4 address space in under 45 minutes from user space on a single machine, approaching the theoretical maximum speed of gigabit Ethernet. We present the scanner architecture, experimentally characterize its performance and accuracy, and explore the security implications of high speed Internet-scale network surveys, both offensive and defensive. We also discuss best practices for good Internet citizenship when performing Internet-wide surveys, informed by our own experiences conducting a long-term research survey over the past year.

[1]  Andrew J. T. Colin,et al.  The Implementation , 1972, Softw. Pract. Exp..

[2]  Keith Sklower,et al.  A Tree-Based Packet Routing Table for Berkeley Unix , 1991, USENIX Winter.

[3]  W. Richard Stevens,et al.  TCP/IP Illustrated, Volume 2: The Implementation , 1995 .

[4]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[5]  Niels Provos,et al.  ScanSSH: Scanning the Internet for SSH Servers , 2001, LISA.

[6]  John Viega,et al.  Network Security with OpenSSL , 2002 .

[7]  John Viega,et al.  Network security using OpenSSL - cryptography for secure communications , 2002 .

[8]  L. Deri Improving Passive Packet Capture : Beyond Device Polling , 2003 .

[9]  Tim Wright,et al.  Transport Layer Security (TLS) Extensions , 2003, RFC.

[10]  John S. Heidemann,et al.  Understanding passive and active service discovery , 2007, IMC '07.

[11]  Ramesh Govindan,et al.  Census and survey of the visible internet , 2008, IMC '08.

[12]  Tim Chown,et al.  IPv6 Implications for Network Scanning , 2008, RFC.

[13]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[14]  Dmitri Loguinov,et al.  Enabling High-Performance Internet-Wide Measurements on Windows , 2010, PAM.

[15]  Sangjin Han,et al.  PacketShader: a GPU-accelerated software router , 2010, SIGCOMM '10.

[16]  Dmitri Loguinov,et al.  Demystifying service discovery: implementing an internet-wide scanner , 2010, IMC '10.

[17]  Aaron Schulman,et al.  Pingin' in the rain , 2011, IMC '11.

[18]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[19]  Luigi Rizzo,et al.  netmap: A Novel Framework for Fast Packet I/O , 2012, USENIX Annual Technical Conference.

[20]  J. Heidemann,et al.  A Preliminary Analysis of Network Outages During Hurricane , 2012 .

[21]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[22]  Eric Wustrow,et al.  CAge: Taming Certificate Authorities by Inferring Restricted Scopes , 2013, Financial Cryptography.