Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zippier ZMap Internet-Wide Scanning at 10Gbps David Adrian, Zakir Durumeric, Gulshan Singh, J. Alex Halderman University of Michigan WOOT ’14 San Diego,

Published byBartholomew Welch Modified over 8 years ago

Similar presentations

Presentation on theme: "Zippier ZMap Internet-Wide Scanning at 10Gbps David Adrian, Zakir Durumeric, Gulshan Singh, J. Alex Halderman University of Michigan WOOT ’14 San Diego,"— Presentation transcript:

1 Zippier ZMap Internet-Wide Scanning at 10Gbps David Adrian, Zakir Durumeric, Gulshan Singh, J. Alex Halderman University of Michigan WOOT ’14 San Diego, CA

2 One Year Ago… We released ZMap ZMap is an Internet-wide port scanner capable of scanning at 97% the maximum theoretical speed of gigabit Ethernet 2 ZMap completes a single- port TCP SYN scan of all of IPv4 in forty-five minutes

3 Networks are Faster Our own got 10x faster! 1 GigE ~ 1.48 million packets per second 10 GigE ~ 14.88 million packets per second 3 Why not full 10 GigE?

4 Zippier ZMap A series of performance enhancements to ZMap, enabling scanning at 95% 10 GigE linespeed, completing a single-port TCP scan in under five minutes 4

5 Talk Roadmap 1.Optimizations to ZMap 2.Evaluation of scanning at >1 Gbps 3.Applications and Conclusions 5

6 Performance Enhancements What do we need to optimize? Parallelize address generation Efficient blacklisting and whitelisting Very low overhead sends (~200 cycle budget) 6

7 Address Generation How do we address outgoing packets? Multithreaded iteration over a cyclic group of integers modulo p requires a lock 7

8 Address Generation How do we address outgoing packets? Multithreaded iteration over a cyclic group of integers modulo p requires a lock Shard the cycle into disjoint sets 8

9 Address Constraints Good Internet citizenship demands honoring blacklist requests 1100 entries from 208 organizations on our blacklist, 0.15% of IPv4 address space Use blacklist to exclude IANA-reserved addresses, 14% of IPv4 address space 9

10 Optimized Address Constraints Model IPv4 as a binary tree populated with blacklist Paint leaf nodes as whitelisted or blacklisted 10 0.0.0.0/ 0 0.0.0.0/ 1 128.0.0.0/1 0.0.0.0/ 2 64.0.0.0/2 Use tree to determine number of allowed addresses n, and map indices 1…n to addresses a 1 …a n

11 Optimized Address Constraints Can we avoid the tree lookup? Move the whitelisted /20 blocks out of the tree and into an array to bypass tree lookup 11 … … … … … 1 3 2 64.0.0.0/20 64.240.0.0/20 2 20

12 Zero-Copy NIC Access How can we send packets at line rate? The Linux kernel is not capable of sending 64 byte packets at 10 GigE linespeed – 14.88 million packets per second Use the PF_RING ZC library for direct NIC “zero-copy” access to reach linespeed 12 Bypass the kernel to reach 10 GigE linespeed

13 Zero-Copy NIC Access How do we combine sharding with PF_RING? Old ArchitectureNew Architecture Global Cyclic Group Iterator Send Packet Creation Blocking UpdateNonblocking Poll 13

14 Talk Roadmap 1.Performance Enhancements to ZMap 2.Evaluation of scanning at >1 Gbps 3.Applications and Conclusions 14

15 10 GigE is Fast Your mileage may vary. 15 This is as much a stress-test of the University of Michigan’s network as it is a study of ZMap Building uplink is an aggregated 2x10 gigabit fiber channel Performance may vary on other networks.

16 16

17 17

18 Complete Scans How fast can we complete full scans of the Internet? Scan RateDurationNormalized Hit Rate 1.44 Mpps (~1 Gbps)42:081.00 3.00 Mpps20:470.99 4.00 Mpps15:380.97 14.23 Mpps (~10 Gbps)4:290.63 18 95% 10 GigE linespeed Scan RateDuration 1.44 Mpps (~1 Gbps)42:08 3.00 Mpps20:47 4.00 Mpps15:38 14.23 Mpps (~10 Gbps)4:29 37% Drop Complete scans of port 443 with our enhancements and blacklist

19 Hit Rate vs. Scan Rate When does fast become too fast? 19 50 second long scans of random samples of IPv4 address space on port 443

20 Packets get dropped on the network Receive Rate Where are the packets going? 20 SYN ACK receive rate for 50s sample scans Split send and receive between two machines

21 Talk Roadmap 1.Performance Enhancements to ZMap 2.Evaluation of scanning at >1 Gbps 3.Applications and Conclusions 21

22 Applications What can we gain from 10 GigE scanning? Decrease the moving camera effect during Internet-wide scans Faster multi-packet scanning-related applications Large scale vulnerability detection and exploitation 22

23 Conclusion As faster network infrastructure becomes available, scanning at 10 Gbps will enable powerful new applications for attackers and defenders alike 23

24 Zippier ZMap https://zmap.io https://github.com/zmap @davidcadrian 24 David Adrian, Zakir Durumeric, Gulshan Singh, J. Alex Halderman zippier-team@umich.edu University of Michigan

25 Backup Slides 25

26 Masscan How are we different? 8-25 Mpps using dual 10 GigE ports Did not have facilities to perform live network tests faster than 100,000 pps 26 Masscan peaked at 6.4 Mpps on our machines in a single-port configuration

27 Hit Rate vs. Scan Rate When does fast become too fast? 27

28 28

Download ppt "Zippier ZMap Internet-Wide Scanning at 10Gbps David Adrian, Zakir Durumeric, Gulshan Singh, J. Alex Halderman University of Michigan WOOT ’14 San Diego,"

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
Cognitive Radio Communications and Networks: Principles and Practice By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 1 Chapter 9 Fundamentals.

Cognitive Radio Communications and Networks: Principles and Practice By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 1 Chapter 9 Fundamentals.
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
RIPE 68 - Measurement, Analysis and Tools Working Group15 May 2014 Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of.

RIPE 68 - Measurement, Analysis and Tools Working Group15 May 2014 Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of.
Topic 7 Local Area Networks (LAN)

Topic 7 Local Area Networks (LAN)
Improving IPC by Kernel Design Jochen Liedtke Slides based on a presentation by Rebekah Leslie.

Improving IPC by Kernel Design Jochen Liedtke Slides based on a presentation by Rebekah Leslie.
Computation I pg 1 Embedded Computer Architecture Memory Hierarchy: Cache Recap Course 5KK73 Henk Corporaal November 2014

Computation I pg 1 Embedded Computer Architecture Memory Hierarchy: Cache Recap Course 5KK73 Henk Corporaal November 2014
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang

Fast Worm Propagation In IPv6 Networks Malware Project Presentation Jing Yang
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
Network Certification Preparation. Module - 1 Communication methods OSI reference model and layered communication TCP/IP model TCP and UDP IP addressing.

Network Certification Preparation. Module - 1 Communication methods OSI reference model and layered communication TCP/IP model TCP and UDP IP addressing.
Router Architecture : Building high-performance routers Ian Pratt

Router Architecture : Building high-performance routers Ian Pratt
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
RIT Campus Data Network. General Network Statistics Over 23,000 wired outlets Over 14,500 active switched ethernet ports > 250 network closets > 1,000.

RIT Campus Data Network. General Network Statistics Over 23,000 wired outlets Over 14,500 active switched ethernet ports > 250 network closets > 1,000.
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.

Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
Cache Conscious Indexing for Decision-Support in Main Memory Pradip Dhara.

Cache Conscious Indexing for Decision-Support in Main Memory Pradip Dhara.
Haoyuan Li CS 6410 Fall 2009 10/15/2009.  U-Net: A User-Level Network Interface for Parallel and Distributed Computing ◦ Thorsten von Eicken, Anindya.

Haoyuan Li CS 6410 Fall /15/2009.  U-Net: A User-Level Network Interface for Parallel and Distributed Computing ◦ Thorsten von Eicken, Anindya.
“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.
1 A Fast IP Lookup Scheme for Longest-Matching Prefix Authors: Lih-Chyau Wuu, Shou-Yu Pin Reporter: Chen-Nien Tsai.

1 A Fast IP Lookup Scheme for Longest-Matching Prefix Authors: Lih-Chyau Wuu, Shou-Yu Pin Reporter: Chen-Nien Tsai.

Similar presentations

Ads by Google