How to scan the entire Internet in less than one hour with ZMap

Zmap

A couple of days ago, I had the chance to attend an amazing presentation at EURECOM, in Sophia Antipolis. The presentation was given by Zakir Durumeric, a PhD candidate at the University of Michigan.

The topic of his presentation was ZMap, a new generation framework for network scanning which has been designed to scan the entire Internet in a couple of hours.

The natural ancestor of ZMap is Nmap, which unfortunately is not scalable to very large networks such as the entire Internet. Indeed, building an Internet monitor with Nmap is unfeasible since it would require to deploy several nodes at different points of the Internet.

The main goal of ZMap is to provide a simple and efficient tool to easily and rapidly scan the Internet. Launching a complete scan is as simple as a single command line.

zmap -p 80 -o results.txt

This way, we could make the Internet safer. Also, researchers can finally run their experiments on the Internet and give more value to their results.

That said, how does ZMap allow you to do so?

ZMap has been designed with parallelism and performance in mind. First, it is completely stateless, which means that it does not maintain one status per connection. Second, it sends in parallel as many probes as the network allows to, in order to achieve the highest throughput possible. Probes are sent in a pseudo-random order, this way the probability to overload a single network is greatly reduced.

As ZMap is stateless, responses are processed only if and when they are received. Thanks to the values stored in some specific fields, it is possible to link a response to the original probe.

Some interesting facts on ZMap and network scanning

The authors of ZMap performed several experiments and came up with some interesting remarks:

  • The total number of hosts discovered does not change if the scan rate (number of probes sent per second) is reduced or increased.
  • Sometime even if a remote service is up and running, a packet could be dropped or lost. For this reason, if a response is not received within a predefined timeout, a new probe should be sent. They observed that 500ms can be considered as a good timeout for the entire Internet.
  • Even for local network scanning, ZMap proved to be much more efficient than Nmap. ZMap can scan 1 million hosts in 11 seconds with a coverage of 100% and almost all the responses are received in 8.2 seconds.

Security concerns and ethical problems

ZMap is for sure a great tool and will probably be adopted by many researchers.

However, such a powerful Internet scanner could be used by hackers for malicious activities such as vulnerability detection and exploitation. For instance, with ZMap, detecting a Web Open Proxy would be extremely easy and anyone could obtain a comprehensive list of web open proxies in a few hours. The only thing an attacker needs is a powerful machine and a network with a high upload bandwidth. Nowadays, these requirements can be easily satisfied by launching a virtual machine in the cloud.

The existence of this tool proves also that the time window between the presence of a detection and its detection by hackers is getting shorter day by day. For this reason, it is important to properly secure your own infrastructure.

Furthermore, mechanisms to prevent ZMap from scanning a given network or a given machine should be put in place. It is obvious that with the possibility for everyone to easily scan the entire Internet, an ethical problem arises. For this reason, this tool should be used carefully without invading someone else’s privacy.

What is your opinion about this tool? Have you given it a try?

3 thoughts on “How to scan the entire Internet in less than one hour with ZMap

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s