In the previous post we considered the theoretical cost and feasibility of scanning all Internet IP addresses and it resulted to be very low. Therefore, we decided to conduct a little experiment: see if it was possible to scan the entire Internet, of course without doing anything harmful.

While the action may not be completely harmless (some may have IDS complaning), we have tried to do the experiment as innocuous as possible. In this sense, the safest action we thought was to launch a ping (ICMP echo) to each and every one of the Internet IP addresses. Although we have sent just a single packet per IP, we messed the scans to prevent a network receiving a high number of consecutive packets.

To do so we prepared two threads, in which work I have had the invaluable help of Nacho López, an experienced C programmer. The source code of ping could have been a good source of inspiration also:

Envia_echo-icmp ()
Recibe_echo_icmp ()

The process works in stateless mode: one thread sends the packets blindly, and the second one simply writes down the response packets received, so the connections do not consume any amount of memory.

The increased complexity came from the disk storage resources; it was necessary to adjust well and program the threads considering the disk performance, so the results received were not lost. After 10 hours, we got the following results:

Ping overall results answered: 284,401,158 IP addresses responded to the ping, i.e. 7% of systems. Graphically:

If we group the results in /8 networks we see the following percentages:

Grafically:

We need to keep in mind that we have scanned the entire address space without deleting reserved private addresses or networks. Obviously we see that the reserved addresses do not answer, which fits with what IANA says about the reserved networks.

We have also grouped the number of pongs that each /24 (class C) network has answered, so we can see the density level of IP addresses in these networks: From many C class networks did we receive 20 pongs?

Grafically:

We can see that many networks do not answer anything, mainly because they are reserved networks. Also, there are blocks with many IPs answering.

We have also performed the analysis on the least significant byte of the IP address, taking into account that we have treated them as if they were all normal IP addresses. It is clear that IP addresses finishing in .0 and .255 reply to the ping to a lesser amount. On the other hand we can also see that the IP ending in .1 is the one most answering the pings, because it usually corresponds to the router, and from there to inside the traffic is usually filtered. This can be seen by comparing the X% with the average. We see also some stripes corresponding to networks /25, /26, /27, etc.

Grafically:

Obviously from the number of answers it is not possible to draw conclusions about the density of IP population, as they may be conveniently filtered.

The % of IP addresses answering to ping seems reasonable, given that it is logical that the external equipment answers to this protocol to aid troubleshooting. It is also normal that many others do not answer, but in any case IPv4 does not appear to be so saturated as usually it is said.

This experiment is a proof of concept of how easy it is to make a global action against all Internet, with almost no cost, short time and basic knowledge. We can see that it would be possible to scan a TCP port, or even do some intrusion attack globally (always stateless), for which any UDP attack could be very effective (as it did with slammer). In any case these actions are and would be considered as attacks, so as expected we will not go further and evolve this project.

Probed that IPv4 is really small, we have another argument to answer the usual question: Why would somebody want to attack me? With IPv6, the attack vector is many orders of magnitude higher, preventing scans “so brute”.

Curiously, we did not have any counter response, or received hostile activity in response. However, we were receiving traffic from a server that sent us the pong for hours continuously and repeatedly (DUP!), we think that due to a IP error that we could not determine.

Although the experiment has been the most innocuous and harmless we could thought about, during the experiment we have received some complaints from organizations related to the the scan. However, taking into account the number of “attacked” sites, the complaints have been few and the hosting provider that received the pings acted in any case time communicating the complaint after the end of the experiment, which shows that such a global attack would be really unstoppable.

With the extracted data more interesting analysis can be done, that we leave for next entries, such as the issue with network and broadcast addresses (.0 and .255). I hope you liked the experiment, and in any case I apologize if I annoyed you with my ping.

(Check the result of this experiment in the second part of this post: The result of pinging all the Internet IP addresses)

Internet, the World Wide Web. All modern organizations in the world are connected to the Internet. A large number of people have Internet access, at work, in the homes and on the mobile device.

This can make us think we’re talking about a vast range of addresses within which attackers can focus their attacks in a given organization. For now we will take the entire Internet address space of IPv4. When deployed IPv6, this will change and there will be an added level of complexity.

Let’s suposse we want to carry action against all the Internet addresses? Would it be viable? How much would it cost? Technical resources? Physical resources? Time? Money? Let’s do some maths and maybe then do a little experiment. To begin, we assume the following scenario:

• We want to do a ping (ICMP ECHO) to each and every one of the Internet IP addresses.
• We store the result of whether they have responded to ping or not (if they have made pong).

Here are some calculations:

How many IP addresses are there?

256^4 = 4,294,967,296, i.e. approx. 4 billion addresses.

How much bandwidth is consumed by a ping?

• In our case we will consider as 58 bytes per ping.
• Let the bandwidth necessary to ping all the Internet: 256^4 * 58 bytes = 232 GB.

If we store the response with only one bit per address it would take 512 MB. If for processing convenience we store one byte per response it would take 4GB.

Considering a bandwidth of 50 Mbit/sec we would finish the scan in approx. 10 hours.

Technical skills required: We need a program with two threads: one that continuously send packets blindly, and another that receives responses in a stateless manner (there is similar software for TCP scans called scanrand).

Technical capacity: Any person with some knowledge of sockets in C, looking at ping.c, could do this program.

Power required: With an average PC is more than enough. In our experiments we have done it without problems with a Dual-Core 2.66Ghz 4GB of RAM and a 100Mbits internet connection.

Cost of equipment and connection: In any known hoster it can cost 30 EUR per month. In server usage percentage it would be 0.42€.

So anyone with knowledge in C programming and 30 Euros can make a massive, global action to all Internet addresses in less than 10 hours. Another example that just by being connected to the Internet you can receive an attack (spanish link). In the history of Internet there have been many worms that have indiscriminately attacked all the Internet addresses. The networks of today and the power equipment can turn local problems into global incidents within minutes. A famous example of this was the SQL Slammer worm that in just under 10 minutes got Internet crashed, taking advantage of a vulnerability attacked with a single UDP packet of 376 bytes.

So, it is clear that the Internet is a very, very small place, and you have to be really well protected. As seen, just being on the Internet makes you an indirect target of global and automated attacks. And not being on the Internet is no longer an option.

In the next post we will see the result of implementing this theoretical exercise. To do so, we decided to make a simple and benign ping against all Internet IP addresses. While it is true that a ping can be the first step to a more sophisticated attack, this is not (obviously) the intention of this experiment. Furthermore, that ping can show us the filtering level or the population level of Internet IP ranges what may have some academic interest.

Do not miss the next post where we will describe the results of the experiment. What technical problems we encountered ? How many pongs we received? And complaints? Any counterattack? What networks do answer more?