(Check the result of this experiment in the second part of this post: The result of pinging all the Internet IP addresses)
Internet, the World Wide Web. All modern organizations in the world are connected to the Internet. A large number of people have Internet access, at work, in the homes and on the mobile device.
This can make us think we’re talking about a vast range of addresses within which attackers can focus their attacks in a given organization. For now we will take the entire Internet address space of IPv4. When deployed IPv6, this will change and there will be an added level of complexity.
Let’s suposse we want to carry action against all the Internet addresses? Would it be viable? How much would it cost? Technical resources? Physical resources? Time? Money? Let’s do some maths and maybe then do a little experiment. To begin, we assume the following scenario:
- We want to do a ping (ICMP ECHO) to each and every one of the Internet IP addresses.
- We store the result of whether they have responded to ping or not (if they have made pong).
Here are some calculations:
How many IP addresses are there?
256^4 = 4,294,967,296, i.e. approx. 4 billion addresses.
How much bandwidth is consumed by a ping?
- In our case we will consider as 58 bytes per ping.
- Let the bandwidth necessary to ping all the Internet: 256^4 * 58 bytes = 232 GB.
If we store the response with only one bit per address it would take 512 MB. If for processing convenience we store one byte per response it would take 4GB.
Considering a bandwidth of 50 Mbit/sec we would finish the scan in approx. 10 hours.
Technical skills required: We need a program with two threads: one that continuously send packets blindly, and another that receives responses in a stateless manner (there is similar software for TCP scans called scanrand).
Technical capacity: Any person with some knowledge of sockets in C, looking at ping.c, could do this program.
Power required: With an average PC is more than enough. In our experiments we have done it without problems with a Dual-Core 2.66Ghz 4GB of RAM and a 100Mbits internet connection.
Cost of equipment and connection: In any known hoster it can cost 30 EUR per month. In server usage percentage it would be 0.42€.
So anyone with knowledge in C programming and 30 Euros can make a massive, global action to all Internet addresses in less than 10 hours. Another example that just by being connected to the Internet you can receive an attack (spanish link). In the history of Internet there have been many worms that have indiscriminately attacked all the Internet addresses. The networks of today and the power equipment can turn local problems into global incidents within minutes. A famous example of this was the SQL Slammer worm that in just under 10 minutes got Internet crashed, taking advantage of a vulnerability attacked with a single UDP packet of 376 bytes.
So, it is clear that the Internet is a very, very small place, and you have to be really well protected. As seen, just being on the Internet makes you an indirect target of global and automated attacks. And not being on the Internet is no longer an option.
In the next post we will see the result of implementing this theoretical exercise. To do so, we decided to make a simple and benign ping against all Internet IP addresses. While it is true that a ping can be the first step to a more sophisticated attack, this is not (obviously) the intention of this experiment. Furthermore, that ping can show us the filtering level or the population level of Internet IP ranges what may have some academic interest.
Do not miss the next post where we will describe the results of the experiment. What technical problems we encountered ? How many pongs we received? And complaints? Any counterattack? What networks do answer more?