root@dafthack:~#‎ > ‎

Port Scanning All IPv4 Addresses

posted Mar 20, 2013, 11:29 AM by Beau Bullock

An anonymous security researcher released a paper titled "Internet Census 2012" a few days ago. They created a massive 420,000 node botnet by logging into internet accessible devices using default passwords or no passwords at all. After logging in to these systems the researcher uploaded a binary of a scanning software (fping, nmap, etc.) depending on the hosts resources and OS and used the 420,000 compromised systems to scan the rest of the 3.6 billion public IPv4 addresses. Rebooting an infected device would remove the scanning software however upon being rescanned by another client it would be reinfected. The researcher is titling his botnet "Carna" after the roman goddess of inner organs and health.


"Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong," he said. "Our scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds."

"We decided to completely ignore all traffic going through the devices and everything behind the routers. This implies no arp, dhcp statistics, no monitoring or counting of traffic, no port scanning of LAN devices and no playing around with all the fun things that might be waiting in the local networks."

"We used the devices as a tool to work at the Internet scale. We did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users."

Here are some of the results from their scans:
  • 420 Million IPs responded to ICMP ping requests more than once.
  • 165 Million IPs had one or more of the top 150 ports open. 36 Million of these IPs did not respond to ICMP ping.
  • 141 Million IPs had only closed/reset ports and did not respond to ICMP ping. Most of these were firewalled IP ranges where it was uncertain if they had actual computers behind them.
  • 1051 Million IPs had a reverse DNS record. 729 Million of these IPs had nothing more and did not respond to any probe.
  • 30000 /16 networks contained IPs that responded to ICMP ping, 14000 /16 networks contained 90% of all pingable IPs.
  • 4.3 Million /24 networks contained all 420 Million pingable IPs.
This is a small chunk of the results from the service probes the botnet did:

You can read the paper and download the 9 TB of data that was released to the public to examine here: