Berkeley CSUA MOTD:Entry 54630
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/04/04 [General] UID:1000 Activity:popular
4/4     

2013/3/19-5/5 [Computer/Networking] UID:54630 Activity:nil
3/18    This is really quite amazing:
        http://internetcensus2012.bitbucket.org/paper.html
        \_ Is there no speculation about what these devices might be?
        \_ Is my Android ICS phone susceptible to this?
2025/04/04 [General] UID:1000 Activity:popular
4/4     

You may also be interested in these entries...
2009/11/4-17 [Computer/SW/P2P, Computer/Networking, Computer/SW/Security] UID:53495 Activity:nil
11/4    Holy cow, I got a warning from my ISP that they were notified
        by BSA/baytsp.com that I was copying music/video/software.
        Do they do port scan or something? That's a first for me.
        \_ They hang out on P2P networks and track IP addresses.  -tom
           \_ I believe they are paid by content providers to perform this
              monitoring service, so you should only run this risk with content
	...
2008/11/7-13 [Computer/Networking] UID:51876 Activity:low
11/7    Need help on http proxy. After I VPN to work, I'd like to tunnel
        all the traffic to my machine. How do I setup my machine (Linux)
        as a proxy server so that my home computers can route through it?
        I'm asking because the site we're testing on requires that we
        come from the same IP. If I use VPN, the server will reject me
        based on the fact that it's a different IP than my work Linux.
	...
2008/8/5-10 [Computer/Networking] UID:50788 Activity:nil
8/5     It looks like my company has started blocking HTTPS tunneling.
        I used to do this by tunneling SSH through the HTTP/HTTPS proxy
        server, but this seems to have stopped working. Does anyone know
        how the implementation of tunneling detection works, and whether
        there are widely available implementations? We run a bunch of MS
        stuff, so I imagine we're running an MS proxy server or something.
	...
2007/8/9-13 [Computer/Networking] UID:47570 Activity:low
8/9     Is there an automated way to change the IP of an XP machine? I have
        tests that need to get run on two separate sub-nets that now require
        me to physically go in and change the IP address of the test box.
        Cygwin is also installed if that helps any. Thanks
        \_ There are a few sort of hackey ways to do it:
           1) automate the mouse clicks and key strokes witto do it:
	...
2007/6/28-7/2 [Computer/Networking] UID:47104 Activity:nil
6/28    what?
        We are deeply, deeply sorry to say that due to licensing constraints,
        we can no longer allow access to Pandora for most listeners located
        outside of the U.S. We will continue to work diligently to realize
        the vision of a truly global Pandora, but for the time being we are
        required to restrict its use. We are very sad to have to do this, but
	...
2007/4/19-21 [Computer/Networking] UID:46375 Activity:nil
4/19    After installing Logitech wireless mouse, my friend cannot connect from
        his PC to his wireless broadband router via a USB wireless network
        device.  It said that it cannot obtain IP address from the router.  Even
        uninstalling the Logitech wireless mouse doesn't help.  Do you know how
        to fix the wireless LAN problem, so that his PC can obtain IP address
        again?
	...
2006/5/8 [Computer/SW/Security] UID:42976 Activity:moderate
5/8     why you are getting all that blue frog spam
        http://q.queso.com/archives/001917 - danh
        \_ While I'm not ready to call it outright bullshit, I'm skeptical:
           * Most DNS operators with a clue set TTL values to cache records
             for 24 hours to one week.  The DNS notify mechanism leaves much
             to be desired.  Thus, changing a DNS pointer is unlikely to
	...
2006/3/25-27 [Computer/Networking] UID:42433 Activity:nil
3/24    I want to write in my DSL router to allow incoming connection
        from certain IP range. How do I find out the IP range for SBC
        DSL say in Bay Area/SF?
	...
2006/2/18-23 [Computer/Networking] UID:41923 Activity:low
2/18    My DSL modem's ip address is 192.168.0.1, my internal network
        behind my router is 10.0.0.x. Is there a way I can configure
        the router so I can access the DSL modem from my 10.0.0.x
        network directly without re-wiring? Static routes? I tried it
        but no much luck. I also tried changing my internal network to
        192.168.0.x, but still does not work. Thanks.
	...
2006/1/28-31 [Computer/Networking] UID:41585 Activity:low
1/28    Just switched to Comcast from SBC and generally happy with it.  But
        can someone please explain to me why they are constantly pumping
        ARP traffic through the network?  It seems harmless, but I'm curious
        as I didn't see it with DSL.  It's a little disconcerting to see
        constant traffic on your router, even if ARPs are harmless from
        a bandwidth perspective, and it makes the WAN send/receive light
	...
2006/1/22-24 [Computer/Networking] UID:41477 Activity:nil
1/21    I am trying to setup a small network for my girlfriend's
        mom's company.  They just bought an accounting package
        which requires windows 2003 server.  And they want internet
        access from each computer.  How should the network be setuped?
        Would it be dumb to use static IP for each computer and a
        computer as internet gateway?
	...
Cache (8192 bytes)
internetcensus2012.bitbucket.org/paper.html
rDNS Overview Internet Census 2012 Port scanning /0 using insecure embedded devices Carna Botnet Abstract While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study. We started scanning and quickly realized that there should be several thousand unprotected devices on the Internet. After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand. Starting with one device and assuming a scan speed of ten IP addresses per second, it should find the next open device within one hour. The scan rate would be doubled if we deployed a scanner to the newly found device. Additionally, with one hundred thousand devices scanning at ten probes per second we would have a distributed port scanner to port scan the entire IPv4 Internet within one hour. To minimize interference with normal system operation, our binary was set to run with a watchdog and on the lowest possible system priority. Furthermore, it was not permanently installed and stopped itself after a few days. We also deployed a readme file containing a description of the project as well as a contact email address. The first one is a telnet scanner which tries a few different login combinations, eg root:root, admin:admin and both without passwords. The second part manages the scanner, gives it IP ranges to scan and uploads scan results to a specified IP address. We deployed our binary on IP addresses we had gathered from our sample data and started scanning on port 23 (Telnet) on every IPv4 address. Our telnet scanner was also started on every newly found device, so the complete scan took only roughly one night. We stopped the automatic deployment after our binary was started on approximately thirty thousand devices. There were in fact several hundred thousand unprotected devices on the Internet making it possible to build a super fast distributed port scanner. After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore. Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong. Our scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds. This limits the effective scanning speed to 10 IPs per second per client. We also uploaded a readme file containing a short explanation of the project as well as a contact email address to provide feedback for security researchers, ISPs and law enforcement who may notice the project. The vast majority of all unprotected devices are consumer routers or set-top boxes which can be found in groups of thousands of devices. A group consists of machines that have the same CPU and the same amount of RAM. However, there are many small groups of machines that are only available a few to a few hundred times. We took a closer look at some of those devices to see what their purpose might be and quickly found IPSec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment and so on. We decided to completely ignore all traffic going through the devices and everything behind the routers. This implies no arp, dhcp statistics, no monitoring or counting of traffic, no port scanning of LAN devices and no playing around with all the fun things that might be waiting in the local networks. We used the devices as a tool to work at the Internet scale. We did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users. So the problem of default or empty passwords is an Internet and industry wide phenomenon. We used a strict set of rules to identify the target devices' CPU and RAM to ensure our binary was only deployed to systems where it was known to work. We also excluded all smaller groups of devices since we did not want to interfere with industrial controls or mission critical hardware in any way. These are only about 25 percent of all unprotected devices found. There are hundreds of thousands of devices that do not have a real shell so we could not upload or run a binary, a hundred thousand mips4kce machines that are mostly too small and not capable enough for our purposes as well as many unidentifiable configuration interfaces for random hardware. We were able to use ifconfig to get the MAC address on most devices. We collected these MAC addresses for some time and identified about 12 million unique unprotected devices. This number does not include devices that do not have ifconfig. A C&C server comes with several disadvantages: it requires constant updates, protection from abuse and a hosting method that is both secure and anonymous. In our scenario this server is not necessary because all devices are reachable directly from the Internet. Therefore we could open a port that provided our own secure login method and a command interface to the bot. Our infrastructure still needs a central server to keep track of and connect to the clients, but it can stay behind NAT and is not reachable from the Internet. Our clients themselves have no possibility to contact a server once their IP address changes, so the central client database may contain an outdated IP address. Another way had to be found to keep client IP addresses up to date. If one client scans ten IP addresses per second, it requires approximately 4000 clients to scan one port on all 36 billion IP addresses of the Internet in one day. Since our botnet targets many more clients, it is no problem to scan for devices that change their IP address every twenty four hours. Many devices reboot every few days so it is necessary to constantly scan on Port 23 (Telnet) to find restarted devices and re-upload our binary for the botnet to remain active. This method allows a botnet without a central server that must be known to any client. This has the slight disadvantage that if clients change their IP address it may take some time until they get scanned again and the IP is updated in the database. The experience gathered with our infrastructure later on showed that approximately 85% of all clients are available at any time. Middle Nodes accept data from the clients and keep it for download by the master server. The IP addresses of the middle nodes were distributed to the clients by the master server when deploying a command. The middle nodes were frequently changed to prevent too much bandwidth usage on a single node. Overall roughly nine thousand devices are needed for constant background scans to update client IP addresses, find restarted devices and act as middle nodes. So this kind of infrastructure only makes sense if you have way more than nine thousand clients. Scan jobs were split up into 240k sub-jobs or parts, each responsible for for scanning approximately 15 thousand IP addresses. Each part was described in terms of a part id, a starting IP address, stepwidth and an end IP address. In this way we only had to deploy a few numbers to every client and they could generate the necessary IP addresses themselves. Finished scan jobs returned by the clients still contained the part id so the master server could keep track of finished and timed out parts. The binary on the router was written in plain C It was compiled for 9 different architectures using the OpenWRT Buildroot. In its latest and largest version this binary was between 46 and 60 kb in size depending on the target architecture. The backend consisted of two parts, a web interface with an API and a set of Pyth...