Wandering Thoughts archives


If you're on the IPv4 Internet, you really are in public now

Once upon a time it was possible to feel that your machines were somewhat private and obscure even if they had public IP(v4) addresses and were on the Internet. It wasn't quite true but it was mostly true because what scanning there was was haphazard and slow and random. You might get poked sooner or later, especially for common things like SSH, but that was just from background noise and people trying to get lucky.

The first clear and public cracks in this came last year with some anonymous researcher's Internet Census 2012, which used a massive botnet to scan the entire IPv4 address range. That showed that a mass scan was feasible but not that it was practical; even if you have one, a massive botnet is a valuable thing, generally too valuable to burn scanning all of IPv4. But the Internet has a long tradition of scaling things up and making them faster, so along came zmap. Given a decent machine with a good Internet connection, zmap will mass scan IPv4 in a feasible amount of time. That was nice (in a sense) but you could tell yourself that it was basically an academic thing.

We're all wrong. Those days are very much over now:

@PaulM: Apparently many of you missed it. I took a screenshot of all unauthenticated VNC servers on IPv4. It took 16 minutes. results.survey.tx.ai

Let me repeat that: as a casual thing someone can now scan the entire IPv4 Internet and connect to every visible instance of something (with a reasonably complicated protocol). In sixteen minutes (well, allegedly).

There is no hiding on the IPv4 Internet any more. There is no more obscurity. If you have something out there and someone is interested in finding all instances of it, they not merely can do so but they can do so trivially. They don't have to target you specifically; the IPv4 Internet is now a world of large-scale scanning that simply sweeps up absolutely everything.

Implications for the next security hole in something that advertises itself in a banner or even can be detected in a TCP conversation are left as an exercise for the reader.

(These implications have always been there, but there has generally been a theoretical 'worst case' air to them. This is not theoretical any more; this is all too bluntly practical.)

tech/NoMoreIPv4Hiding written at 23:22:38; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.