Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/17/2013
09:42 AM
50%
50%

Fast Scanning To Fuel 'Golden Age' Of Global Flaw Finding

A network scanner that can survey the Internet in less than an hour will make it easier for research groups to expose vulnerabilities on the Internet

A network scanner designed from scratch by three University of Michigan researchers can scan the entire IPv4 Internet in about 45 minutes, drastically reducing the speed at which such scans can be accomplished.

Announced at last month's USENIX Security conference, the scanner, dubbed ZMap, uses a modular approach to scanning to speed the process, the pseudo-random selection of IP addresses to avoid overwhelming small networks and validation of the responses by a separate system to verify the results. The researchers -- Zakir Durumeric, Eric Wustrow, and J. Alex Halderman -- used the scanner to track protocol use on the Internet, find systems vulnerable to HTTPS weak key flaw, and discover unadvertised services. Without fast scans of the Internet, many types of research would not be feasible, says Durumeric, a Ph.D. candidate in computer science at the University of Michigan.

"You can imagine that if you did your scans over three months and then did all the follow-up processing, the Internet could have grown, in terms of the use of certain protocols, by 10 percent," Durumeric says. "So you have a whole new degree of specificity."

The techniques combined to create ZMap are not all new but have not before been brought together in a single program. In the same way that the Shodan service made the results of Internet scans more accessible, the ability to quickly perform customized scans of the Internet will likely result in a "golden age" of vulnerability scanning, says HD Moore, chief research officer for Rapid7, a vulnerability management firm. Rather than waiting for days or weeks for scans to complete, researchers can do a lot more with fewer resources.

"It really shrinks the size of the Internet in a way that we couldn't do before," Moore says. "It's not big data anymore."

Network scanners were originally designed to scan small networks, keeping track of the current state of the scan as it progressed. However, when scanning a network the size of the Internet, the state data can grow too large for most systems, Durumeric says. To solve that problem, some scanning projects have broken their scans into batches, scanning a complete subnetwork before moving onto the next subnet. Yet, if the scan is done quickly, it can overwhelm the provider with requests.

[Researchers and attackers catalog vulnerable systems connected to the Internet, from videoconferencing systems set to auto-answer, to open point-of-sale servers, to poorly configured database systems. See Global Scans Reveal Internet's Insecurities In 2012.]

ZMap solves both problems by generating pseudo-random IP addresses using a particular method, known as multiplicative group of integers, so that each address appears only once. The process is broken into a fast engine for generating and sending the packets, and an asynchronous collector that receives the packets and logs the data. The state of each connection is not kept, Durumeric says. Instead, packets are matched by putting identifying data in the unused fields of the network packet.

"Really, each of these packets is the same except for where it goes, so we don't need to go through all these same validation steps," he says. "We just need to update a small amount of information and send it onto the next host."

While the three researchers from the University of Michigan have shortened the time it takes to do a scan, the bandwidth required to scan the entire Internet quickly will likely limit such projects to academic research groups and large corporations.

"When we say we are scanning at a gigabit speed, we are using an entire gigabit connection," he says. "Most home users have 1- or 2 megabytes."

Rapid7's HD Moore had already begun working with the University of Michigan on a large-scale study using scans to find websites, Internet-connected servers, and cloud services that link back to a business' domain to help companies find unknown or rogue assets. Certificates used with secure services, for example, include the domain of the certificate holder, providing a link that the researchers can connect back to the firm.

"They all point to identifying assets out there that you may not know belongs to your company," Moore says.

Looking for vulnerabilities is another fertile field. There is no shortage of vulnerable systems out there, Moore says. By using fast scanning to highlight the weaknesses before they can be exploited by attackers, the Internet benefits as a whole, he says. Many ISPs distribute poorly configured routers, and Rapid7 and Moore have already highlighted problems in universal plug-and-play devices, such as routers, as well as insecure video conferencing systems.

The net benefit of fast scanning should be that more vulnerabilities will be detected and eliminated because attackers have already been using botnets and other techniques to scan for vulnerable services in networks. The Carna botnet and the report on its scanning results showed the possibilities of illegal scanning projects. They could adopt ZMap's techniques for scanning, but will not benefit from the technology as much as defenders, says Moore.

However, eventually the golden age of fast scanning will end. As IPv6 becomes increasingly deployed, scanning the entire network will become impossible. Even limiting scans to known assigned IPv6 addresses and using other information to attempt to identify hosts will not narrow the field much for researchers.

"With IPv6, if it's not a published entry somewhere, you are not going to find it," Moore says. "You have to send almost as much traffic to identify a single subnet as the entire IPv4 Internet. So the numbers are not going to work out."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.