The topic of his presentation was ZMap, a new generation framework for network scanning which has been designed to scan the entire Internet in a couple of hours.
The natural ancestor of ZMap is Nmap, which unfortunately is not scalable to very large networks such as the entire Internet. Indeed, building an Internet monitor with Nmap is unfeasible since it would require to deploy several nodes at different points of the Internet.
The main goal of ZMap is to provide a simple and efficient tool to easily and rapidly scan the Internet. Launching a complete scan is as simple as a single command line.
zmap -p 80 -o results.txt
This way, we could make the Internet safer. Also, researchers can finally run their experiments on the Internet and give more value to their results.
That said, how does ZMap allow you to do so?
ZMap has been designed with parallelism and performance in mind. First, it is completely stateless, which means that it does not maintain one status per connection. Second, it sends in parallel as many probes as the network allows to, in order to achieve the highest throughput possible. Probes are sent in a pseudo-random order, this way the probability to overload a single network is greatly reduced.
As ZMap is stateless, responses are processed only if and when they are received. Thanks to the values stored in some specific fields, it is possible to link a response to the original probe.
Some interesting facts on ZMap and network scanning
The authors of ZMap performed several experiments and came up with some interesting remarks:
- The total number of hosts discovered does not change if the scan rate (number of probes sent per second) is reduced or increased.
- Sometime even if a remote service is up and running, a packet could be dropped or lost. For this reason, if a response is not received within a predefined timeout, a new probe should be sent. They observed that 500ms can be considered as a good timeout for the entire Internet.
- Even for local network scanning, ZMap proved to be much more efficient than Nmap. ZMap can scan 1 million hosts in 11 seconds with a coverage of 100% and almost all the responses are received in 8.2 seconds.
Security concerns and ethical problems
ZMap is for sure a great tool and will probably be adopted by many researchers.
However, such a powerful Internet scanner could be used by hackers for malicious activities such as vulnerability detection and exploitation. For instance, with ZMap, detecting a Web Open Proxy would be extremely easy and anyone could obtain a comprehensive list of web open proxies in a few hours. The only thing an attacker needs is a powerful machine and a network with a high upload bandwidth. Nowadays, these requirements can be easily satisfied by launching a virtual machine in the cloud.
The existence of this tool proves also that the time window between the presence of a detection and its detection by hackers is getting shorter day by day. For this reason, it is important to properly secure your own infrastructure.
Furthermore, mechanisms to prevent ZMap from scanning a given network or a given machine should be put in place. It is obvious that with the possibility for everyone to easily scan the entire Internet, an ethical problem arises. For this reason, this tool should be used carefully without invading someone else’s privacy.
What is your opinion about this tool? Have you given it a try?