If you're on the IPv4 Internet, you really are in public now

October 28, 2013

Once upon a time it was possible to feel that your machines were somewhat private and obscure even if they had public IP(v4) addresses and were on the Internet. It wasn't quite true but it was mostly true because what scanning there was was haphazard and slow and random. You might get poked sooner or later, especially for common things like SSH, but that was just from background noise and people trying to get lucky.

The first clear and public cracks in this came last year with some anonymous researcher's Internet Census 2012, which used a massive botnet to scan the entire IPv4 address range. That showed that a mass scan was feasible but not that it was practical; even if you have one, a massive botnet is a valuable thing, generally too valuable to burn scanning all of IPv4. But the Internet has a long tradition of scaling things up and making them faster, so along came zmap. Given a decent machine with a good Internet connection, zmap will mass scan IPv4 in a feasible amount of time. That was nice (in a sense) but you could tell yourself that it was basically an academic thing.

We're all wrong. Those days are very much over now:

@PaulM: Apparently many of you missed it. I took a screenshot of all unauthenticated VNC servers on IPv4. It took 16 minutes. results.survey.tx.ai

Let me repeat that: as a casual thing someone can now scan the entire IPv4 Internet and connect to every visible instance of something (with a reasonably complicated protocol). In sixteen minutes (well, allegedly).

There is no hiding on the IPv4 Internet any more. There is no more obscurity. If you have something out there and someone is interested in finding all instances of it, they not merely can do so but they can do so trivially. They don't have to target you specifically; the IPv4 Internet is now a world of large-scale scanning that simply sweeps up absolutely everything.

Implications for the next security hole in something that advertises itself in a banner or even can be detected in a TCP conversation are left as an exercise for the reader.

(These implications have always been there, but there has generally been a theoretical 'worst case' air to them. This is not theoretical any more; this is all too bluntly practical.)

Written on 28 October 2013.
« Old and new addresses and spam
An open question: part uniformity versus unit cost »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Oct 28 23:22:38 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.