, 21 January 2013 | Imprime |  Disponible también en Español

(Check the result of this experiment in the second part of this post: The result of pinging all the Internet IP addresses)

Internet, the World Wide Web. All modern organizations in the world are connected to the Internet. A large number of people have Internet access, at work, in the homes and on the mobile device.

This can make us think we’re talking about a vast range of addresses within which attackers can focus their attacks in a given organization. For now we will take the entire Internet address space of IPv4. When deployed IPv6, this will change and there will be an added level of complexity.

Let’s suposse we want to carry action against all the Internet addresses? Would it be viable? How much would it cost? Technical resources? Physical resources? Time? Money? Let’s do some maths and maybe then do a little experiment. To begin, we assume the following scenario:

  • We want to do a ping (ICMP ECHO) to each and every one of the Internet IP addresses.
  • We store the result of whether they have responded to ping or not (if they have made pong).

Here are some calculations:

How many IP addresses are there?

256^4 = 4,294,967,296, i.e. approx. 4 billion addresses.

How much bandwidth is consumed by a ping?

  • In our case we will consider as 58 bytes per ping.
  • Let the bandwidth necessary to ping all the Internet: 256^4 * 58 bytes = 232 GB.

If we store the response with only one bit per address it would take 512 MB. If for processing convenience we store one byte per response it would take 4GB.

Considering a bandwidth of 50 Mbit/sec we would finish the scan in approx. 10 hours.

Technical skills required: We need a program with two threads: one that continuously send packets blindly, and another that receives responses in a stateless manner (there is similar software for TCP scans called scanrand).

Technical capacity: Any person with some knowledge of sockets in C, looking at ping.c, could do this program.

Power required: With an average PC is more than enough. In our experiments we have done it without problems with a Dual-Core 2.66Ghz 4GB of RAM and a 100Mbits internet connection.

Cost of equipment and connection: In any known hoster it can cost 30 EUR per month. In server usage percentage it would be 0.42€.

So anyone with knowledge in C programming and 30 Euros can make a massive, global action to all Internet addresses in less than 10 hours. Another example that just by being connected to the Internet you can receive an attack (spanish link). In the history of Internet there have been many worms that have indiscriminately attacked all the Internet addresses. The networks of today and the power equipment can turn local problems into global incidents within minutes. A famous example of this was the SQL Slammer worm that in just under 10 minutes got Internet crashed, taking advantage of a vulnerability attacked with a single UDP packet of 376 bytes.

So, it is clear that the Internet is a very, very small place, and you have to be really well protected. As seen, just being on the Internet makes you an indirect target of global and automated attacks. And not being on the Internet is no longer an option.

In the next post we will see the result of implementing this theoretical exercise. To do so, we decided to make a simple and benign ping against all Internet IP addresses. While it is true that a ping can be the first step to a more sophisticated attack, this is not (obviously) the intention of this experiment. Furthermore, that ping can show us the filtering level or the population level of Internet IP ranges what may have some academic interest.

Do not miss the next post where we will describe the results of the experiment. What technical problems we encountered ? How many pongs we received? And complaints? Any counterattack? What networks do answer more?

(You can follow us in Twitter: @SecurityArtWork)

7 comentarios a “How much does it take to ping the whole Internet?”

(Please note that Spanish and English comments are merged so you may need to use an online translator to understand other users' comments)

La aproximación de 4*10^9 direcciones IP en internet es bastante correcta dado que si al total de direcciones le restamos las no enrutables (RFC1918) y las multicast (RFC5771) tenemos casi 290*10^6 menos a hacerles un ICMP echo reply.

igazmi [web], 21 de January de 2013, 11:39 am

En este experimento aun conociendo que muchas redes estas reservadas según: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
se han considerado como si todo el espacio fuera plano y accesible, tanto para los cálculos teóricos como para el ejercicio práctico.

Damia [web], 21 de January de 2013, 11:51 am

No tenia ni idea de esto la verdad y me he quedado ko, que un ataque masivo sea tan facil de generar…es acojonante.

Sergio [web], 21 de January de 2013, 12:46 pm

Con la mía os vais a gastar el dinero, no va a contestar.
# iptables -A INPUT -i ppp0 -p icmp –icmp-type ping -jDROP

Santiago [web], 21 de January de 2013, 1:41 pm

Lo que más me inquieta es cómo llegas a tener estas inquietudes… Cuanto menos curioso y original!!

Esperamos los resultados :)

Adrian [web], 21 de January de 2013, 1:45 pm

Hay un dato que no me cuadra, ni aquí ni en los resultados, y es que comentáis que lo habéis hecho con un PC normal, supongo que desde la casa de uno de vosotros y habéis dicho que con 50mbps se realizaría en 10h, que más bien, tirando de calculadora serían 11:40h, pero: ¿tenéis en vuestras casas 50mbps de subida o lo habéis hecho en vuestro lugar de trabajo o en algún sitio con una conexión más amplia?

Un saludo.

Pedro Gutiérrez [web], 10 de February de 2013, 4:42 am

No lo hemos hecho desde una conexión doméstica sino desde un cpd con una buena conexión a Internet.

Damia [web], 10 de February de 2013, 7:57 am