Internet-wide Scanning Taxonomy and Framework

David Myers1 Ernest Foo2 Kenneth Radke3

1 Email: d1.myers@connect.qut.edu.au

2Email: e.foo@qut.edu.au 3Email: k.radke@qut.edu.au

Abstract

Industrial control systems (ICS) have been mov-ing from dedicated communications to switched androuted corporate networks, making it probable thatthese devices are being exposed to the Internet. ManyICS have been designed with poor or little securityfeatures, making them vulnerable to potential at-tack. Recently, several tools have been developed thatcan scan the internet, including ZMap, Masscan andShodan. However, little in-depth analysis has beendone to compare these Internet-wide scanning tech-niques, and few Internet-wide scans have been con-ducted targeting ICS and protocols.

In this paper we present a Taxonomy of Internet-wide scanning with a comparison of three popular net-work scanning tools, and a framework for conductingInternet-wide scans.

Keywords: Internet-wide scanning, Taxonomy,Framework, Industrial Control Systems, Critical In-frastructure, SCADA, ZMap, Masscan, Shodan.

1 Introduction

With the exhaustion of the IPv4 address pool, andthe slow adoption of IPv6, researchers have the op-portunity to conduct Internet-wide surveys for re-search. In the past few years, there have been severalInternet-wide scans conducted by different organisa-tions worldwide. With recent advances in Internet-wide scanning tools, computational power, and net-work bandwidth, the required time to scan the IPv4address space has been dramatically reduced. It isnow possible to scan the entire public IPv4 Internetin as little as three minutes (Graham, 2013b). Severaltools currently exist which allow scans of the IPv4 in-ternet, including ZMap, Masscan, Unicornscan andShodan.

ICS have been moving from traditional serial com-munications to switched and routed corporate net-works, either directly connected through ethernet orthrough devices to enable serial to ethernet conver-sion. These ethernet networks allow for easy ac-cess, management and operation of the devices, how-ever connection to corporate networks can allow thedevices to be directly accessible from the Internet(Hoover, 2013).

Copyright c©2015, Australian Computer Society, Inc. This pa-per appeared at the 13th Australasian Information SecurityConference (AISC 2015), Sydney, Australia. Conferences inResearch and Practice in Information Technology (CRPIT),Vol. 161, Ian Welch and Xun Yi, Ed. Reproduction for aca-demic, not-for-profit purposes permitted provided this text isincluded.

However, there is currently no framework for con-ducing Internet-wide scans, no comparison betweencommonly used Internet-wide scanning techniqueshas been made, and few Internet-wide scans have beenconducted for Internet accessible ICS devices.

2 Background

The Electronic Frontier Foundation (EFF) EFF SSLObservatory project conducted an Internet-wide scanfor study (Electronic Frontier Foundation, 2014).From this dataset, the EFF were able to ask key ques-tions about the existing state of SSL Certificates onthe internet, including the number of trusted Certifi-cate Authorities (CAs), number of signers, and fre-quency of use. The EFF found there were a largeamount of weak and vulnerable certificates.

The Internet Census (2012) was a distributed scanof the IPv4 Internet using the Carna Botnet, whichinfected over 400,000 embedded devices (Anonymous,2012). Using the NMap Scripting Engine, the botnetwas designed to initially scan random addresses, at-tempt a telnet login, and upload a small binary toinfected devices which then was used to scan the In-ternet This distributed method of scanning the Inter-net dramatically reduced the time of the scan, frompotentially months to hours.

Mining your Ps and Qs was a distributed scan ofthe IPv4 Internet using the NMap network mappingtool; the largest network survey of TLS and SSHservers at the time. The goal of the project wasto search for TLS certificates with problems relatedto inadequate randomness upon generation (Heningeret al., 2012).

ZMap, created by a team from the Universityof Michigan (Durumeric et al., 2013), provides sev-eral improvements over traditional port-scanning pro-grams such as NMap, used duringthe EFF SSL Ob-servatory project, Internet Census, and the Miningyour Ps and Qs scans (Electronic Frontier Founda-tion, 2014; Anonymous, 2012; Heninger et al., 2012).The ZMap tool dramatically reduces the time of scan-ning from days to as little as 45 minutes (Durumericet al., 2013). In response to the release of ZMap, anew Internet-wide scanning tool Masscan was devel-oped, which further reduces the time of scanning theInternet to a theoretical 3 minutes (Graham, 2013b).The development of these two tools has made con-ducting an Internet-wide scan easier, cheaper andmore effective. Both ZMap and Masscan are toolsdesigned specifically for conducting scans of the In-ternet, and provide significant performance improve-ments compared to NMap, a tool built for intensivelocal network scanning.

In comparison to conducting Internet-wide scans,the Shodan project allows users to bypass conduct-

Proceedings of the 13th Australasian Information Security Conference (AISC 2015), Sydney,Australia, 27 - 30 January 2015

61

ing scans themselves, and use use information gath-ered from conducting ports scans and banner grab-bing to find information about specific target devices.Users search the Shodan database using an interac-tive web interface, and can search using queries de-signed to restrict searches to a type of device, port,or geographical location. Shodan captures informa-tion about many devices, including SCADA, ICS, IPcameras and routers (Shodan, 2014).

“KATSE” was a scanning system designed to scanthe nation of Finland to constantly search for ex-posed, Internet-connected ICS and analyse the sys-tems for possible vulnerabilities. KATSE, a severalcomponent scanning system, scanned devices whichwere found using Shodan (Tiilikainen, 2014).

The ZMap team at the University of Michigan re-leased in August, 2014, an analysis of traffic datasetreceived by a darknet over a 16 month period.Through the use of libpcap, the traffic was analysedand the team found that scans conducted targeting10% or more of the IPv4 address space did not useZMap or Masscan (Durumeric et al., 2014).

Existing research projects using Internet-widescanning and surveying methods have been conductedin the past few years. Several new methods of scan-ning the internet have been developed, dramaticallyreducing the time required to conduct a full Internet-wide scan.

However, limited global Internet-wide scans havebeen conducted specifically targeting ICS. Further-more, limited comparison between the new Internet-wide scanning methods have been conducted. Themajority of Internet-wide scans described have useddifferent methodologies and tools while conductingscans of the Internet, several developing their owntools to fulfil their research needs. Thus there is aneed to analyse and compare techniques through thedevelopment of a Taxonomy and develop a Frame-work for conducting Internet-wide scans. Addition-ally, there exists the potential to scan the Internet toview the current landscape of publicly available ICS,through scanning the public IPv4 Internet for indus-trial control system protocols.

3 Taxonomy of Internet Scanning Methods

Through our investigation of Internet-scanning toolsand previously conducted Internet-wide scans, wehave seen Zmap, Masscan and Unicornscan share alarge number of similarities. As such, we have dis-tilled the following categorical breakdown of the Tax-onomy of Scanning Methods. We have then comparedthe properties of ZMap, Masscan and Unicornscan us-ing our taxonomy, as shown in Table 1.

3.1 Scanning Method

We define Scanning Method in Internet-wides canningas the method used by the scanners to connect, checkport availability and disconnect from a target host.We categorise Scanning method into two categories:scanners which conduct SYN-scaning, and scannerswhich conduct complete 3-way handshakes.

Zmap utilises separate sending and receivingthreads for packet transmission, and uses SYN-scanning for sending packets (Durumeric et al., 2013).

Masscan makes use of SYN-scanning, and likeZMap and Unicornscan, uses separate sending andreceiving threads to transmit packets and receive re-sponses.

Unicornscan conducts a full three-way handshakewhile conducting a scan, and breaks down the process

of conducting scans into three processes. The mainprocess “Unicornscan” is used to control the scan andkeep track of packets,“unisend” which sends a SYNpacket to the scan target, and “unilisten”, which lis-tens for the SYN-ACK response, and sends informa-tion back to the master process “Unicornscan”.

3.2 Packet Transmission

We define Packet Transmission in Internet-wide scan-ning as the method used by the scanner to send andreceive packets. We categorise Packet Transmissionin to three categories: scanners which use the kernelTCP/IP stack, scanners which implement their ownself-contained “user-mode” TCP/IP stack, and scan-ners which bypass the TCP/IP stack completely.

ZMap generates and sends packets using a rawsocket at the Ethernet layer, which reduces kerneloverhead and bypasses the TCP/IP stack. By gen-erating and caching the Ethernet layer packet, ZMapprevents the Linux kernel from performing a rout-ing lookup, arpcache lookup, and netfilter checks foreach sent packet (Durumeric et al., 2013). Masscanuses a user self contained TCP stack, separate fromthe Linux kernel. In addition to this function, Mass-can makes use of a kernel module “PF RING” to im-prove packet transfer and capture speed. Unicorn-scan’s method has similarities to Masscan, using auser TCP stack outside of the kernel.

3.3 Randomisation

We define Randomisation as the ability of the scan-ning tool to generate a random permutation of theIPv4 address pool, preventing iterative scanning ofthe IPv4 address space.

Traditional network scanning tools, such as NMap,iteratively scan through a list of IP addresses. Dueto the methods new scanners use to generate packets,more traffic is generated and transmitted faster, re-ducing the time required to conduct an Internet-widescan. However, this results in the possible overloadof a destination network, potentially causing issuesto the normal operation of that network(Durumericet al., 2013).

ZMap uses a mathematic method for generating arandom permutation of the IPv4 address pool. Usingmodular mathematics, ZMap iterates over a multi-plicative group of integers, ensuring the scanner willreach all IPv4 addresses, with exception to the ad-dress 0.0.0.0, an IANA reserved address (Durumericet al., 2013). ZMap has recently been improvedby including parallelised generation of IP addressesover multiple cores, allowing faster address genera-tion (Adrian et al., 2014).

Masscan creates random permutations of the IPv4address pool using a custom cryptographic algorithm“Blackrock”, based on a Feistel network to encrypt anindex. The Blackrock encryption function is based onData Encryption Standard (DES) (Graham, 2013a).

ZMap and Masscan both have the ability to “seed”the randomisation element of the scans, allowing therandom permutation of IP addresses to be repeatable.

From using Unicornscan to perform restricted lo-cal network scans, we found Unicornscan does nothave a randomisation function, and scans iterativelythrough addresses in the specified network range.

3.4 Scan Distribution

We define Scan Distribution in Internet-wide scan-ning as the ability for the scanner to conduct dis-

CRPIT Volume 161 - Information Security 2015

62

tributed scans from multiple source hosts. We cate-gorise Scan Distribution into two categories: scannerswhich can conduct distributed scans, and scannerswhich cannot conduct distributed scans.

Both ZMap and Masscan have the ability to con-duct distributed scans of the Internet, and use theterm “Shard” to describe the distributed hosts. ZMapand Masscan have similar methods of conducting dis-tributed scans; first a “seed” is set to specify the samerandomised address permutation over all hosts, thenassign multiple IP addresses to scan from. Unicorn-scan does not have the ability to conduct a distributedscan from multiple hosts.

3.5 Blacklisting and Whitelisting

We define Blacklisting in Internet-wide scanning asa user created or edited list used to exclude IP ad-dresses from scans, resulting with any address listedin a blacklist not being scanned at any point. We de-fine Whitelisting in Internet-wide scanning as a usercreated or edited list used to specify a network rangeto scan, resulting in only that address or range ofaddresses being scanned.

We categorise Blacklisting and Whitelisting in tofour categories: scanners which can use blacklisting,scanners which can use whitelisting, scanners whichcan use both blacklisting and whitelisting, and fi-nally scanners which can use neither blacklisting orwhitelisting.

ZMap can use both blacklisting and whitelist-ing for Internet-wide scans (Durumeric et al., 2013).Masscan can use blacklisting in the form of an “ex-clude file”, but not whitelisting. Like ZMap, black-listing is configured through a configuration file, ac-cepting the same format as ZMap (Graham, 2013b).Unlike ZMap and Masscan, Unicornscan does not im-plement either blacklisting or whitelisting.

3.6 Modularity

We define modularity in Internet-wide scanning asthe scanner being extensible with internal or exter-nal modules, to increase the functionality of the scan-ner or provide some additional benefit. We categorisemodularity in to two categories: scanners which aremodular, and scanners which are not modular.

ZMap is a modular scanner, internally having aseries of extensible probe modules which can be cus-tomised for different types of probes and payloads,such as the UDP probe module (Durumeric et al.,2013). In addition to the internal probe modules,ZMap has output handlers which allow the scan re-sults to be pushed into external modules to provideadditional processing. Neither Masscan or Unicorn-scan have the ability to be extended with modules.

3.7 Scanning Speed

We define scanning speed in Internet-wide scanningas the speed it is theoretically possible to conduct anInternet-wide scan using a scanning tool. We cate-gorise scanning speed in to three categories: 1gigE,scanners which can theoretically scan up the limit of1gbps Ethernet Cards, and 10gigE, scanners whichcan theoretically scan up to the limit of 10gbps Eth-ernet Cards. These differences are determined on net-working

The receiving component of ZMap utilises libpcap,a library for capturing network traffic and filteringresults. ZMap can send packets close to the theoreti-cal limit of a 1gbps ethernet card, approximately 1.5

million packets-per-second (Mpps) (Durumeric et al.,2013). Recently, ZMap has been further developedand optimised, improving the performance of addressgeneration and “PF RING” resulting in the abilityto scan using a 10gbps network card, reaching simi-lar speeds to Masscan at 15Mpps to 25Mpps (Adrianet al., 2014).

Through the PF RING module, Masscan can useup to 10gbps Ethernet card to send packets at a max-imum of 15Mpps, or up to 25Mpps using a dual-port10gbps Ethernet card (Graham, 2013b).

Unicornscan uses a similar method of sendingpackets compared with Masscan, and additionallyuses the libpcap library for receiving network traffic.(Lee and Louis, 2005). Using the same library, Uni-cornscan would be able to send packets at the samerate as ZMap, at approximately 1.5Mpps over a 1gbpsEthernet card.

3.8 Speed Limiting

We define Speed Limiting in Internet-wide scanningas the ability to slow or limit a scan’s speed, in orderto conduct the scan slower if necessary. We categoriseSpeed Limiting in to four categories: limiting speedby rate of scan in packets per second (pps) or band-width (G,M,Kbps), limiting speed by duration of scan(seconds), limiting speed by number of results, andlimiting speed through a combination of methods.

ZMap has the ability to limit the speed of a scanby rate in packets per second (pps), by bandwidth inbits per second (G,M,Kbps), limit number of hostsand results, and by total time. Both Masscan andUnicornscan can limit the rate of the scan in packetsper second, however neither Masscan or Unicornscancan limit by amount of hosts, results, or time.

4 Internet-wide Scanning Framework

In this section, we present our framework for conduct-ing Internet-wide scans. We present our framework infour sections; a scan policy, a primary scan, secondaryscan, and scan analysis.

4.1 Scanning Policy

While developing the Internet-wide scanning toolZMap and conducting internet-wide scans as part ofresearch, the team at the University of Michigan de-veloped a list of seven recommended practices for fu-ture researchers to use as as guidelines for “GoodInternet Citizenship” (Durumeric et al., 2013). Wefollowed this list of recommended practices whereit was feasible while developing our policies. TheZMap team’s guidelines for “Good Internet Citizen-ship” were used as a base for implementing our twopolicies for ensuring all required parties are aware ofany Internet-wide scans.

We have defined a clear policy to be used for com-municating with internal groups at our ISP, ensuringall required groups are informed of the Internet-widescans.

1. Request Ethics approval where necessary.

2. Inform and Discuss the nature and extent of thescans with the ISP.

3. Coordinate network usage with the ISP to pre-vent any disruption to normal network operation.

4. Coordinate with the ISP to ensure any emailswill be received and processed by the scanningteam.

Proceedings of the 13th Australasian Information Security Conference (AISC 2015), Sydney,Australia, 27 - 30 January 2015

63

Properties ZMap Masscan UnicornscanScan Method SYN-scanning SYN-scanning 3-Way HandshakePacket Transmission Bypass Kernel User-mode TCP/IP User-mode TCP/IPRandomisation Uses Randomisation Uses Randomisation No RandomisationDistributed Scanning Can conduct Can conduct Can not conductBlack/Whitelisting Both Black & Whitelisting Blacklisting NeitherScanning Speed 1gigE (10gigE as of August, 2014) 10gigE 1gigESpeed Limiting Combination (Rate, Duration, Results) Rate of Scan (pps) Rate of Scan (pps)Modularity Is modular Is not modular Is not modular

Table 1: Comparison of ZMap, Masscan and Unicornscan using our Taxonomy of Internet Scanning Methods.

In addition to this policy for working with internalgroups, we have defined a clear policy for workingwith scan-traffic recipients to receive, and process anyrequests for information or requests to opt-out of anyfuture scanning activities.

1. Maintain a constant, clear contact point forreceiving any information or opt-out requests,through use of web pages, reverse-DNS and con-tact email.

2. Respond to information or opt-out requestspromptly after receiving the request, ensuring re-sponses are taken seriously.

3. Immediately add opt-out requests to an IP ad-dress blacklist for future scans, and update black-list as soon as possible.

4. Refine the address blacklist as needed if a repeatrequest is received.

4.2 Primary Scan

The Internet-wide scanning framework has two scan-ning stages, a primary scan and a secondary scan.The primary scan is conducted to find a broaderrange of hosts to be narrowed down by the secondaryscan. In the primary scan, an Internet-wide scanis conducted using ZMap, Masscan, or Unicornscan,against a port or ports necessary to obtain a range ofIP addresses for research. The main outcome of theprimary scan is a list of IP addresses to be used forthe secondary scans.

4.3 Secondary Scan

The Internet-wide scanning framework uses a sec-ondary scanning stage to further identify the initialhosts, in order to identify or gather more requiredinformation from the hosts. The secondary scan isconducted using the outcomes from the primary scanon a second port or ports which are used by com-mon services, that have the potential to identify thedevices. These services, when queried, can provideinformation or banners containing software versionsand device information such as device name and type.These ports include the web server port TCP/80,Simple Network Management Protocol (SNMP) portTCP/161, Telnet port TCP/23 and File Transfer Pro-tocol (FTP) port TCP/21. These protocols are com-monly used to interact with ICS devices, for manag-ing, accessign and uploading and downloading of filesto the devices. Using this list of ports, scanning a listof IP addresses can return banners and status of thedevice.

4.4 Scan Analysis

The Scan Analysis section of the framework is forgathering insight from the results gained from theprimary and secondary scans, such as statistical infor-mation, and geolocation information. Statistical in-formation can be gathered from using standard UNIXtools. ZMap, Masscan and Unicornscan output filesto multiple formats, and by default use a human read-able format for viewing files. Extensions to thesetools, such as banner grabbing modules, have the abil-ity to output to the human readable to ascii format.Using unix tools such as grep, wc, diff, and comm,information can be observed from the results; suchas how many IP addresses are in a range, and thenumber of times a server appears in a banner grab.

Our scan analysis stage uses geographical IP ad-dress information, retrieved from regional internetregistries (RIR). Geolocation software uses databasesof IP address data gathered from the RIR’s to allowusers of the software to search for geographic infor-mation related to an IP address, such as the approxi-mate geographical location (Fiori, 2014). The resultsobtained through conducting primary and secondaryscans can be processed through a GeoIP Server, andused as input to generate geographic maps of resultsto visually display scan results.

5 Discussion

While designing the Framework for Primary and Sec-ondary scans, we initially considered sending mes-sages to industrial control system protocols. Basedon the responses we receive from the messages, wecould quickly eliminate what devices were not ICS.However, this method of scanning would require us tocraft packets to send commands as a payload specif-ically designed for the the destination protocol. Ascan using this method of crafting packets could beconstrued as an attempted attack on the destinationsystem. In addition to the construed nature of thescan, it is possible that commands sent to a desti-nation industrial control system could potentially in-terrupt the function of the device. Due to possiblemisinterpretation of the messages, and the potentialof interrupting the function of the devices, we elim-inated this method of scanning as a possible way ofidentifying ICS. Instead, we designed the SecondaryScan as a method for identifying ICS without the useof specialised or crafted payloads.

Acknowledgements

This work was supported in part by Australian Re-search Council Linkage Grant LP120200246, Practi-cal Cyber Security for Next Generation Power Trans-mission Networks.

CRPIT Volume 161 - Information Security 2015

64

References

Adrian, D., Durumeric, Z., Singh, G. and Halderman,J. A. (2014), Zipper ZMap: Internet-Wide Scan-ning at 10Gbps, in ‘Proceedings of the 8th USENIXWorkshop on Offensive Technologies’.

Anonymous (2012), ‘Internet census 2012: Portscanning/0 using insecure embedded devices.’.URL: http:// internetcensus2012.bitbucket.org/paper.html

Durumeric, Z., Bailey, M. and Halderman, J. A.(2014), An Internet-Wide View of Internet-WideScanning, in ‘Proceedings of the 23rd USENIX Se-curity Symposium’.

Durumeric, Z., Wustrow, E. and Halderman, J. A.(2013), ZMap: Fast Internet-wide scanning and itssecurity applications, in ‘Proceedings of the 22ndUSENIX Security Symposium’.

Electronic Frontier Foundation (2014), ‘The EFF SSLObservatory’.URL: https://www.eff.org/observatory

Fiori, A. (2014), ‘freegeoip.net’.URL: http://freegeoip.net/

Graham, R. (2013a), ‘Masscan: designing my owncrypto’.URL: http:// blog.erratasec.com/ 2013/ 12/masscan-designing-my-own-crypto.html

Graham, R. (2013b), ‘Masscan: the entire internet in3 minutes’.URL: http:// blog.erratasec.com/ 2013/ 09/masscan-entire-internet-in-3-minutes.html

Heninger, N., Durumeric, Z., Wustrow, E. and Hal-derman, J. A. (2012), Mining Your Ps and Qs: De-tection of Widespread Weak Keys in Network De-vices, in ‘Proceedings of the 21st USENIX SecuritySymposium’.

Hoover, J. N. (2013), ‘Thousands of industrial controlsystems at risk: Dhs study’.URL: http://www.darkreading.com/risk-management/thousands-of-industrial-control-systems–at-risk-dhs-study/d/d-id/1108149?

Lee, R. and Louis, J. (2005), ‘Unicornscan - History,Background and Technical Details’, Presentation.

Shodan (2014), ‘man shodan’.URL: http:// www.shodanhq.com/ help

Tiilikainen, S. (2014), Improving the National Cyber-security by Finding Vulnerable Industrial ControlSystems from the Internet.

Proceedings of the 13th Australasian Information Security Conference (AISC 2015), Sydney,Australia, 27 - 30 January 2015

65