Sunday, May 29, 2016

Feedly:Errata Security. Doing a 'full scan' of the Internet right now



from Errata Security

So I'm doing a "full" scan of the Internet, all TCP ports 0-65535 on all addresses. This explains the odd stuff you see from 209.126.230.7x.


I'm scanning at only 125kpps from 4 source IP addresses, or roughly 30kpps from each source address. This is so that I'll get below many thresholds for IDSs, which trigger when they see fast scans from a single address. The issue isn't to avoid detection, but to avoid generating work for people who get unnecessarily paranoid about the noise they see in their IDS logs.

This scan won't finish at this speed, of course, it won't get even close. Technically, it'd take 50 years to complete at this rate.

The point isn't create a comprehensive scan, but to do sampling scan. I'll let it run a week like this, which will get 0.1% of the Internet, and then stop the scan.

What am I looking for? I don't know. I'm just doing something weird in order to see what happens. With that said, I am testing any port I connect to with Heartbleed. This should give us an estimation of how many Internet-of-Things devices are still vulnerable to that bug. I'm also interested to see how many things allow connections to port 0.

I'm also interested in see those devices/firewalls that respond with a SYN-ACK to any SYN. That's why, in the above picture, the "found" count is so high. I haven't actually found many real things, but it looks like it because these devices send SYN-ACKs without actually establishing TCP connections.

Anyway, send me a tweet @erratarob with information on how you perceive this incoming scan. Is your firewall and IDS handling it well? or do you have messed up configuration/policies where this causes more noise/concern than is warranted?

Web Analytics