Security Research
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Hunting Botnets with ZMap

TrevorP

Fascinating article

As most host (using IPv4) are NAT'ed behind their ISP I suppose you can only really get the ISP to take the next step and inform the IP address owner that they are infected?

Would IPv6 help?

0 Kudos
About the Author

TrevorP

Comments
TrevorP

Fascinating article

As most host (using IPv4) are NAT'ed behind their ISP I suppose you can only really get the ISP to take the next step and inform the IP address owner that they are infected?

Would IPv6 help?

HeadlessZeke

Thanks for the question!

 

Since this project is still really in its infancy, we haven't decided what the best course of action would be as far as what to do about infected/malicious hosts that we find, though a couple of good ideas have been floated around.

 

And as for IPv6, while that would definitely solve the NAT'ing problem, it has two big problems of its own. The first is adoption. While IPv6 support is getting pretty good now and the number of devices using it is growing, it's nowhere near universal enough to give us any improvement over the numbers we're getting now. The second problem is time. If it takes hours or even minutes to scan the entire IPv4 address space, we would all be long gone before a single IPv6 scan finished. Of course, this is a very naive estimate, and I don't think we would need to hit *every* address, but still.

 

Anyways, keep the ideas coming!

martin schmitt

It would be great if this information would fed into ThreatLinQ-World Map. Is this planed, or would it be possible?

HeadlessZeke

That's a good idea! I'll look into it.

Franz Gleichmann

hi,

 

i spontaneously had an idea to scan ipv6-networks (and ipv4-networks more efficiently).

 

as you previously statet, not every address has to be scanned.

the question is: how do we get those that need to be scanned?

 

my thought: an "anti-bot-net" of volunteers who provide a portion of their processing power and bandwidth to the cause of fighting botnets - they simply send known ip-addresses to a scanning host (known addresses could be addresses the volunteers may have connected to themselves or they simply captured somewhere)

 

yes, that would obviously be a big (huge (gigantic)) privacy problem, but that could be resolved by simply anonymously forwarding the IP over a random number of peers before feeding it to the "scanning host" - therefore, noone would know where the IP came from (except probably someone listening on the last mile, but if there's a sniffer there, he'd know the IP anyway)

 

so we'd had a constant stream of IPs that are known to be online from a decentralised source that could be decentrally scanned and the resulting data (what IPs are infected) then pushed to a central information hub.

 

 

i bet the whole thing has several flaws, but i just wanted to share my idea with you, possibly just as a food for thought.

 

anyway, great idea with your initial scan. keep it up :)

Labels
Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Online
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all