Zippier ZMap Internet-Wide Scanning at 10Gbps David Adrian, Zakir Durumeric, Gulshan Singh, J. Alex Halderman University of Michigan WOOT ’14 San Diego,

Slides:

Advertisements

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Advertisements

Cognitive Radio Communications and Networks: Principles and Practice By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 1 Chapter 9 Fundamentals.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

RIPE 68 - Measurement, Analysis and Tools Working Group15 May 2014 Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of.

Topic 7 Local Area Networks (LAN)

Improving IPC by Kernel Design Jochen Liedtke Slides based on a presentation by Rebekah Leslie.

Computation I pg 1 Embedded Computer Architecture Memory Hierarchy: Cache Recap Course 5KK73 Henk Corporaal November 2014

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Network Certification Preparation. Module - 1 Communication methods OSI reference model and layered communication TCP/IP model TCP and UDP IP addressing.

Router Architecture : Building high-performance routers Ian Pratt

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

RIT Campus Data Network. General Network Statistics Over 23,000 wired outlets Over 14,500 active switched ethernet ports > 250 network closets > 1,000.

Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.

Cache Conscious Indexing for Decision-Support in Main Memory Pradip Dhara.

Haoyuan Li CS 6410 Fall /15/2009.  U-Net: A User-Level Network Interface for Parallel and Distributed Computing ◦ Thorsten von Eicken, Anindya.

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

1 A Fast IP Lookup Scheme for Longest-Matching Prefix Authors: Lih-Chyau Wuu, Shou-Yu Pin Reporter: Chen-Nien Tsai.

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.

Chapter 9 Classification And Forwarding. Outline.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

BUDAPEST UNIVERSITY OF TECHNOLOGY AND ECONOMICS DEPARTMENT OF TELECOMMUNICATIONS AND MEDIA INFORMATICS BUDAPEST UNIVERSITY OF TECHNOLOGY AND ECONOMICS.

Scheduling of Tiled Nested Loops onto a Cluster with a Fixed Number of SMP Nodes Maria Athanasaki, Evangelos Koukis, Nectarios Koziris National Technical.

Practical TDMA for Datacenter Ethernet

1.  Team Members  Team Leader: Adam Jackson  Communication Coordinator: Nick Ryan  Bader Al-Sabah  David Feely  Richard Jones  Faculty Advisor.

Christopher Bednarz Justin Jones Prof. Xiang ECE 4986 Fall Department of Electrical and Computer Engineering University.

TCP/IP Networking sections 13.2,3,4,5 Road map: TCP, provide connection-oriented service IP, route data packets from one machine to another (RFC 791) ICMP,

Networking Virtualization Using FPGAs Russell Tessier, Deepak Unnikrishnan, Dong Yin, and Lixin Gao Reconfigurable Computing Group Department of Electrical.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

Ch. 16 High-Speed LANs The Emergence of High- Speed LANs Trends –Computing power of PCs has continued to grow. –MIS organizations recognize the.

David G. Andersen CMU Guohui Wang, T. S. Eugene Ng Rice Michael Kaminsky, Dina Papagiannaki, Michael A. Kozuch, Michael Ryan Intel Labs Pittsburgh 1 c-Through:

CIS 450 – Network Security Chapter 3 – Information Gathering.

Zakir Durumeric, James Kasten,David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer,

Zmap FAST INTERNET-WIDE SCANNING AND ITS SECURITY APPLICATION.

By: Aleksandr Movsesyan Advisor: Hugh Smith. OSI Model.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Srihari Makineni & Ravi Iyer Communications Technology Lab

EECB 473 DATA NETWORK ARCHITECTURE AND ELECTRONICS PREPARED BY JEHANA ERMY JAMALUDDIN Basic Packet Processing: Algorithms and Data Structures.

Resource Mapping and Scheduling for Heterogeneous Network Processor Systems Liang Yang, Tushar Gohad, Pavel Ghosh, Devesh Sinha, Arunabha Sen and Andrea.

Fast Crash Recovery in RAMCloud. Motivation The role of DRAM has been increasing – Facebook used 150TB of DRAM For 200TB of disk storage However, there.

Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.

Networking Fundamentals. Basics Network – collection of nodes and links that cooperate for communication Nodes – computer systems –Internal (routers,

4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.

An Internet-Wide View of Internet-Wide Scanning.  Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet.

TCP Offload Through Connection Handoff Hyong-youb Kim and Scott Rixner Rice University April 20, 2006.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University

An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.

Defending against Hitlist Worms using NASR Khanh Nguyen.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Gorilla: A Fast, Scalable, In-Memory Time Series Database

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.

RT-OPEX: Flexible Scheduling for Cloud-RAN Processing

Internet Quarantine: Requirements for Containing Self-Propagating Code

Data Streaming in Computer Networking

OpenFlow Switch as a low-impact Firewall

Data Link Issues Relates to Lab 2.

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

Implementing an OpenFlow Switch on the NetFPGA platform

Mapping Internet Sensors With Probe Response Attacks

Performing Security Auditing In Hardware

Authors: Ding-Yuan Lee, Ching-Che Wang, An-Yeu Wu Publisher: 2019 VLSI

Presentation transcript:

Zippier ZMap Internet-Wide Scanning at 10Gbps David Adrian, Zakir Durumeric, Gulshan Singh, J. Alex Halderman University of Michigan WOOT ’14 San Diego, CA

One Year Ago… We released ZMap ZMap is an Internet-wide port scanner capable of scanning at 97% the maximum theoretical speed of gigabit Ethernet 2 ZMap completes a single- port TCP SYN scan of all of IPv4 in forty-five minutes

Networks are Faster Our own got 10x faster! 1 GigE ~ 1.48 million packets per second 10 GigE ~ million packets per second 3 Why not full 10 GigE?

Zippier ZMap A series of performance enhancements to ZMap, enabling scanning at 95% 10 GigE linespeed, completing a single-port TCP scan in under five minutes 4

Talk Roadmap 1.Optimizations to ZMap 2.Evaluation of scanning at >1 Gbps 3.Applications and Conclusions 5

Performance Enhancements What do we need to optimize? Parallelize address generation Efficient blacklisting and whitelisting Very low overhead sends (~200 cycle budget) 6

Address Generation How do we address outgoing packets? Multithreaded iteration over a cyclic group of integers modulo p requires a lock 7

Address Generation How do we address outgoing packets? Multithreaded iteration over a cyclic group of integers modulo p requires a lock Shard the cycle into disjoint sets 8

Address Constraints Good Internet citizenship demands honoring blacklist requests 1100 entries from 208 organizations on our blacklist, 0.15% of IPv4 address space Use blacklist to exclude IANA-reserved addresses, 14% of IPv4 address space 9

Optimized Address Constraints Model IPv4 as a binary tree populated with blacklist Paint leaf nodes as whitelisted or blacklisted / / / / /2 Use tree to determine number of allowed addresses n, and map indices 1…n to addresses a 1 …a n

Optimized Address Constraints Can we avoid the tree lookup? Move the whitelisted /20 blocks out of the tree and into an array to bypass tree lookup 11 … … … … … / /

Zero-Copy NIC Access How can we send packets at line rate? The Linux kernel is not capable of sending 64 byte packets at 10 GigE linespeed – million packets per second Use the PF_RING ZC library for direct NIC “zero-copy” access to reach linespeed 12 Bypass the kernel to reach 10 GigE linespeed

Zero-Copy NIC Access How do we combine sharding with PF_RING? Old ArchitectureNew Architecture Global Cyclic Group Iterator Send Packet Creation Blocking UpdateNonblocking Poll 13

Talk Roadmap 1.Performance Enhancements to ZMap 2.Evaluation of scanning at >1 Gbps 3.Applications and Conclusions 14

10 GigE is Fast Your mileage may vary. 15 This is as much a stress-test of the University of Michigan’s network as it is a study of ZMap Building uplink is an aggregated 2x10 gigabit fiber channel Performance may vary on other networks.

16

17

Complete Scans How fast can we complete full scans of the Internet? Scan RateDurationNormalized Hit Rate 1.44 Mpps (~1 Gbps)42: Mpps20: Mpps15: Mpps (~10 Gbps)4: % 10 GigE linespeed Scan RateDuration 1.44 Mpps (~1 Gbps)42: Mpps20: Mpps15: Mpps (~10 Gbps)4:29 37% Drop Complete scans of port 443 with our enhancements and blacklist

Hit Rate vs. Scan Rate When does fast become too fast? second long scans of random samples of IPv4 address space on port 443

Packets get dropped on the network Receive Rate Where are the packets going? 20 SYN ACK receive rate for 50s sample scans Split send and receive between two machines

Talk Roadmap 1.Performance Enhancements to ZMap 2.Evaluation of scanning at >1 Gbps 3.Applications and Conclusions 21

Applications What can we gain from 10 GigE scanning? Decrease the moving camera effect during Internet-wide scans Faster multi-packet scanning-related applications Large scale vulnerability detection and exploitation 22

Conclusion As faster network infrastructure becomes available, scanning at 10 Gbps will enable powerful new applications for attackers and defenders alike 23

Zippier ZMap 24 David Adrian, Zakir Durumeric, Gulshan Singh, J. Alex Halderman University of Michigan

Backup Slides 25

Masscan How are we different? 8-25 Mpps using dual 10 GigE ports Did not have facilities to perform live network tests faster than 100,000 pps 26 Masscan peaked at 6.4 Mpps on our machines in a single-port configuration

Hit Rate vs. Scan Rate When does fast become too fast? 27

28