The result of pinging all the Internet IP addresses

In the previous post we considered the theoretical cost and feasibility of scanning all Internet IP addresses and it resulted to be very low. Therefore, we decided to conduct a little experiment: see if it was possible to scan the entire Internet, of course without doing anything harmful.

While the action may not be completely harmless (some may have IDS complaning), we have tried to do the experiment as innocuous as possible. In this sense, the safest action we thought was to launch a ping (ICMP echo) to each and every one of the Internet IP addresses. Although we have sent just a single packet per IP, we messed the scans to prevent a network receiving a high number of consecutive packets.

To do so we prepared two threads, in which work I have had the invaluable help of Nacho López, an experienced C programmer. The source code of ping could have been a good source of inspiration also:

Envia_echo-icmp ()
Recibe_echo_icmp ()

The process works in stateless mode: one thread sends the packets blindly, and the second one simply writes down the response packets received, so the connections do not consume any amount of memory.

The increased complexity came from the disk storage resources; it was necessary to adjust well and program the threads considering the disk performance, so the results received were not lost. After 10 hours, we got the following results:

Ping overall results answered: 284,401,158 IP addresses responded to the ping, i.e. 7% of systems. Graphically:

If we group the results in /8 networks we see the following percentages:

NETWORK /8 pongs answered % pongs answered
0.X.X.X 0 0,00% IANA – Local Identification RESERVED
1.X.X.X 1945822 11,60% APNIC whois.apnic.net ALLOCATED
2.X.X.X 3060724 18,24% RIPE NCC whois.ripe.net ALLOCATED
3.X.X.X 3 0,00% General Electric Company LEGACY
4.X.X.X 47999 0,29% Level 3 Communications, Inc. LEGACY
5.X.X.X 1476715 8,80% RIPE NCC whois.ripe.net ALLOCATED
6.X.X.X 41 0,00% Army Information Systems Center LEGACY
7.X.X.X 0 0,00% Administered by ARIN whois.arin.net LEGACY
8.X.X.X 76429 0,46% Level 3 Communications, Inc. LEGACY
9.X.X.X 0 0,00% IBM LEGACY
10.X.X.X 3 0,00% IANA – Private Use RESERVED
11.X.X.X 0 0,00% DoD Intel Information Systems LEGACY
12.X.X.X 401646 2,39% AT&T Bell Laboratories LEGACY
13.X.X.X 635 0,00% Xerox Corporation LEGACY
14.X.X.X 2066669 12,32% APNIC whois.apnic.net ALLOCATED
15.X.X.X 10312 0,06% Hewlett-Packard Company LEGACY
16.X.X.X 18 0,00% Digital Equipment Corporation LEGACY
17.X.X.X 1897 0,01% Apple Computer Inc. LEGACY
18.X.X.X 25281 0,15% MIT LEGACY
19.X.X.X 0 0,00% Ford Motor Company LEGACY
20.X.X.X 2069 0,01% Computer Sciences Corporation LEGACY
21.X.X.X 0 0,00% DDN-RVN LEGACY
22.X.X.X 0 0,00% Defense Information Systems Agency LEGACY
23.X.X.X 2119841 12,64% ARIN whois.arin.net ALLOCATED
24.X.X.X 2854162 17,01% ARIN whois.arin.net ALLOCATED
25.X.X.X 0 0,00% UK Ministry of Defence whois.ripe.net LEGACY
26.X.X.X 0 0,00% Defense Information Systems Agency LEGACY
27.X.X.X 1846998 11,01% APNIC whois.apnic.net ALLOCATED
28.X.X.X 0 0,00% DSI-North LEGACY
29.X.X.X 2 0,00% Defense Information Systems Agency LEGACY
30.X.X.X 3 0,00% Defense Information Systems Agency LEGACY
31.X.X.X 1444805 8,61% RIPE NCC whois.ripe.net ALLOCATED
32.X.X.X 6791 0,04% AT&T Global Network Services LEGACY
33.X.X.X 0 0,00% DLA Systems Automation Center LEGACY
34.X.X.X 73 0,00% Halliburton Company LEGACY
35.X.X.X 30637 0,18% Administered by ARIN whois.arin.net LEGACY
36.X.X.X 447230 2,67% APNIC whois.apnic.net ALLOCATED
37.X.X.X 1909720 11,38% RIPE NCC whois.ripe.net ALLOCATED
38.X.X.X 176523 1,05% PSINet, Inc. LEGACY
39.X.X.X 393476 2,35% APNIC whois.apnic.net ALLOCATED
40.X.X.X 1165 0,01% Administered by ARIN whois.arin.net LEGACY
41.X.X.X 1785846 10,64% AFRINIC whois.afrinic.net ALLOCATED
42.X.X.X 905039 5,39% APNIC whois.apnic.net ALLOCATED
43.X.X.X 13447 0,08% Administered by APNIC whois.apnic.net LEGACY
44.X.X.X 70 0,00% Amateur Radio Digital Communications LEGACY
45.X.X.X 1 0,00% Administered by ARIN whois.arin.net LEGACY
46.X.X.X 2658072 15,84% RIPE NCC whois.ripe.net ALLOCATED
47.X.X.X 11729 0,07% Administered by ARIN whois.arin.net LEGACY
48.X.X.X 0 0,00% Prudential Securities Inc. LEGACY
49.X.X.X 1643097 9,79% APNIC whois.apnic.net ALLOCATED
50.X.X.X 2086304 12,44% ARIN whois.arin.net ALLOCATED
51.X.X.X 0 0,00% UK Government Department for Work and Pensions whois.ripe.net LEGACY
52.X.X.X 102 0,00% E.I. duPont de Nemours and Co., Inc. LEGACY
53.X.X.X 3 0,00% Cap Debis CCS LEGACY
54.X.X.X 22092 0,13% Merck and Co., Inc. LEGACY
55.X.X.X 0 0,00% DoD Network Information Center LEGACY
56.X.X.X 22 0,00% US Postal Service LEGACY
57.X.X.X 6653 0,04% SITA LEGACY
58.X.X.X 2583602 15,40% APNIC whois.apnic.net ALLOCATED
59.X.X.X 1508086 8,99% APNIC whois.apnic.net ALLOCATED
60.X.X.X 1798876 10,72% APNIC whois.apnic.net ALLOCATED
61.X.X.X 1652124 9,85% APNIC whois.apnic.net ALLOCATED
62.X.X.X 1561085 9,30% RIPE NCC whois.ripe.net ALLOCATED
63.X.X.X 569208 3,39% ARIN whois.arin.net ALLOCATED
64.X.X.X 1372940 8,18% ARIN whois.arin.net ALLOCATED
65.X.X.X 1136397 6,77% ARIN whois.arin.net ALLOCATED
66.X.X.X 1835266 10,94% ARIN whois.arin.net ALLOCATED
67.X.X.X 2623277 15,64% ARIN whois.arin.net ALLOCATED
68.X.X.X 2117113 12,62% ARIN whois.arin.net ALLOCATED
69.X.X.X 2335093 13,92% ARIN whois.arin.net ALLOCATED
70.X.X.X 1841378 10,98% ARIN whois.arin.net ALLOCATED
71.X.X.X 4511701 26,89% ARIN whois.arin.net ALLOCATED
72.X.X.X 3287369 19,59% ARIN whois.arin.net ALLOCATED
73.X.X.X 3589118 21,39% ARIN whois.arin.net ALLOCATED
74.X.X.X 2976565 17,74% ARIN whois.arin.net ALLOCATED
75.X.X.X 3341673 19,92% ARIN whois.arin.net ALLOCATED
76.X.X.X 2727681 16,26% ARIN whois.arin.net ALLOCATED
77.X.X.X 3639746 21,69% RIPE NCC whois.ripe.net ALLOCATED
78.X.X.X 3505048 20,89% RIPE NCC whois.ripe.net ALLOCATED
79.X.X.X 3991921 23,79% RIPE NCC whois.ripe.net ALLOCATED
80.X.X.X 2325444 13,86% RIPE NCC whois.ripe.net ALLOCATED
81.X.X.X 2380619 14,19% RIPE NCC whois.ripe.net ALLOCATED
82.X.X.X 3540108 21,10% RIPE NCC whois.ripe.net ALLOCATED
83.X.X.X 3170669 18,90% RIPE NCC whois.ripe.net ALLOCATED
84.X.X.X 3276645 19,53% RIPE NCC whois.ripe.net ALLOCATED
85.X.X.X 2651705 15,81% RIPE NCC whois.ripe.net ALLOCATED
86.X.X.X 1740467 10,37% RIPE NCC whois.ripe.net ALLOCATED
87.X.X.X 3251776 19,38% RIPE NCC whois.ripe.net ALLOCATED
88.X.X.X 4356116 25,96% RIPE NCC whois.ripe.net ALLOCATED
89.X.X.X 2724476 16,24% RIPE NCC whois.ripe.net ALLOCATED
90.X.X.X 2344320 13,97% RIPE NCC whois.ripe.net ALLOCATED
91.X.X.X 2404688 14,33% RIPE NCC whois.ripe.net ALLOCATED
92.X.X.X 2556074 15,24% RIPE NCC whois.ripe.net ALLOCATED
93.X.X.X 2878139 17,16% RIPE NCC whois.ripe.net ALLOCATED
94.X.X.X 3165218 18,87% RIPE NCC whois.ripe.net ALLOCATED
95.X.X.X 3512883 20,94% RIPE NCC whois.ripe.net ALLOCATED
96.X.X.X 3490340 20,80% ARIN whois.arin.net ALLOCATED
97.X.X.X 970326 5,78% ARIN whois.arin.net ALLOCATED
98.X.X.X 4549209 27,12% ARIN whois.arin.net ALLOCATED
99.X.X.X 1392114 8,30% ARIN whois.arin.net ALLOCATED
100.X.X.X 128763 0,77% ARIN whois.arin.net ALLOCATED
101.X.X.X 1290800 7,69% APNIC whois.apnic.net ALLOCATED
102.X.X.X 0 0,00% AFRINIC whois.afrinic.net ALLOCATED
103.X.X.X 93789 0,56% APNIC whois.apnic.net ALLOCATED
104.X.X.X 0 0,00% ARIN whois.arin.net ALLOCATED
105.X.X.X 462111 2,75% AFRINIC whois.afrinic.net ALLOCATED
106.X.X.X 1197732 7,14% APNIC whois.apnic.net ALLOCATED
107.X.X.X 300499 1,79% ARIN whois.arin.net ALLOCATED
108.X.X.X 2426908 14,47% ARIN whois.arin.net ALLOCATED
109.X.X.X 2469363 14,72% RIPE NCC whois.ripe.net ALLOCATED
110.X.X.X 2454778 14,63% APNIC whois.apnic.net ALLOCATED
111.X.X.X 1903735 11,35% APNIC whois.apnic.net ALLOCATED
112.X.X.X 2968386 17,69% APNIC whois.apnic.net ALLOCATED
113.X.X.X 3079706 18,36% APNIC whois.apnic.net ALLOCATED
114.X.X.X 2800478 16,69% APNIC whois.apnic.net ALLOCATED
115.X.X.X 2837602 16,91% APNIC whois.apnic.net ALLOCATED
116.X.X.X 1915863 11,42% APNIC whois.apnic.net ALLOCATED
117.X.X.X 2128063 12,68% APNIC whois.apnic.net ALLOCATED
118.X.X.X 2896711 17,27% APNIC whois.apnic.net ALLOCATED
119.X.X.X 3060064 18,24% APNIC whois.apnic.net ALLOCATED
120.X.X.X 1199805 7,15% APNIC whois.apnic.net ALLOCATED
121.X.X.X 2665125 15,89% APNIC whois.apnic.net ALLOCATED
122.X.X.X 2168852 12,93% APNIC whois.apnic.net ALLOCATED
123.X.X.X 2687657 16,02% APNIC whois.apnic.net ALLOCATED
124.X.X.X 2493104 14,86% APNIC whois.apnic.net ALLOCATED
125.X.X.X 3002885 17,90% APNIC whois.apnic.net ALLOCATED
126.X.X.X 952186 5,68% APNIC whois.apnic.net ALLOCATED
127.X.X.X 0 0,00% IANA – Loopback RESERVED
128.X.X.X 773669 4,61% Administered by ARIN whois.arin.net LEGACY
129.X.X.X 335098 2,00% Administered by ARIN whois.arin.net LEGACY
130.X.X.X 480277 2,86% Administered by ARIN whois.arin.net LEGACY
131.X.X.X 181065 1,08% Administered by ARIN whois.arin.net LEGACY
132.X.X.X 235630 1,40% Administered by ARIN whois.arin.net LEGACY
133.X.X.X 49242 0,29% Administered by APNIC whois.apnic.net LEGACY
134.X.X.X 288572 1,72% Administered by ARIN whois.arin.net LEGACY
135.X.X.X 23972 0,14% Administered by ARIN whois.arin.net LEGACY
136.X.X.X 116382 0,69% Administered by ARIN whois.arin.net LEGACY
137.X.X.X 178580 1,06% Administered by ARIN whois.arin.net LEGACY
138.X.X.X 81333 0,48% Administered by ARIN whois.arin.net LEGACY
139.X.X.X 167798 1,00% Administered by ARIN whois.arin.net LEGACY
140.X.X.X 293204 1,75% Administered by ARIN whois.arin.net LEGACY
141.X.X.X 288597 1,72% Administered by RIPE NCC whois.ripe.net LEGACY
142.X.X.X 344687 2,05% Administered by ARIN whois.arin.net LEGACY
143.X.X.X 81379 0,49% Administered by ARIN whois.arin.net LEGACY
144.X.X.X 90422 0,54% Administered by ARIN whois.arin.net LEGACY
145.X.X.X 200673 1,20% Administered by RIPE NCC whois.ripe.net LEGACY
146.X.X.X 257674 1,54% Administered by ARIN whois.arin.net LEGACY
147.X.X.X 148189 0,88% Administered by ARIN whois.arin.net LEGACY
148.X.X.X 78053 0,47% Administered by ARIN whois.arin.net LEGACY
149.X.X.X 301946 1,80% Administered by ARIN whois.arin.net LEGACY
150.X.X.X 96794 0,58% Administered by APNIC whois.apnic.net LEGACY
151.X.X.X 954773 5,69% Administered by RIPE NCC whois.ripe.net LEGACY
152.X.X.X 147825 0,88% Administered by ARIN whois.arin.net LEGACY
153.X.X.X 44430 0,26% Administered by APNIC whois.apnic.net LEGACY
154.X.X.X 25662 0,15% Administered by AFRINIC whois.afrinic.net LEGACY
155.X.X.X 64935 0,39% Administered by ARIN whois.arin.net LEGACY
156.X.X.X 53951 0,32% Administered by ARIN whois.arin.net LEGACY
157.X.X.X 78752 0,47% Administered by ARIN whois.arin.net LEGACY
158.X.X.X 106178 0,63% Administered by ARIN whois.arin.net LEGACY
159.X.X.X 159920 0,95% Administered by ARIN whois.arin.net LEGACY
160.X.X.X 120077 0,72% Administered by ARIN whois.arin.net LEGACY
161.X.X.X 83081 0,50% Administered by ARIN whois.arin.net LEGACY
162.X.X.X 43521 0,26% Administered by ARIN whois.arin.net LEGACY
163.X.X.X 161035 0,96% Administered by APNIC whois.apnic.net LEGACY
164.X.X.X 124244 0,74% Administered by ARIN whois.arin.net LEGACY
165.X.X.X 130803 0,78% Administered by ARIN whois.arin.net LEGACY
166.X.X.X 256189 1,53% Administered by ARIN whois.arin.net LEGACY
167.X.X.X 46554 0,28% Administered by ARIN whois.arin.net LEGACY
168.X.X.X 187654 1,12% Administered by ARIN whois.arin.net LEGACY
169.X.X.X 79520 0,47% Administered by ARIN whois.arin.net LEGACY
170.X.X.X 88594 0,53% Administered by ARIN whois.arin.net LEGACY
171.X.X.X 855441 5,10% Administered by APNIC whois.apnic.net LEGACY
172.X.X.X 41571 0,25% Administered by ARIN whois.arin.net LEGACY
173.X.X.X 3501677 20,87% ARIN whois.arin.net ALLOCATED
174.X.X.X 2853025 17,01% ARIN whois.arin.net ALLOCATED
175.X.X.X 2498128 14,89% APNIC whois.apnic.net ALLOCATED
176.X.X.X 2036792 12,14% RIPE NCC whois.ripe.net ALLOCATED
177.X.X.X 3759343 22,41% LACNIC whois.lacnic.net ALLOCATED
178.X.X.X 4004355 23,87% RIPE NCC whois.ripe.net ALLOCATED
179.X.X.X 0 0,00% LACNIC whois.lacnic.net ALLOCATED
180.X.X.X 2598738 15,49% APNIC whois.apnic.net ALLOCATED
181.X.X.X 874733 5,21% LACNIC whois.lacnic.net ALLOCATED
182.X.X.X 2167285 12,92% APNIC whois.apnic.net ALLOCATED
183.X.X.X 3074376 18,32% APNIC whois.apnic.net ALLOCATED
184.X.X.X 3082669 18,37% ARIN whois.arin.net ALLOCATED
185.X.X.X 3806 0,02% RIPE NCC whois.ripe.net ALLOCATED
186.X.X.X 3650599 21,76% LACNIC whois.lacnic.net ALLOCATED
187.X.X.X 4419158 26,34% LACNIC whois.lacnic.net ALLOCATED
188.X.X.X 3966741 23,64% Administered by RIPE NCC whois.ripe.net LEGACY
189.X.X.X 5836526 34,79% LACNIC whois.lacnic.net ALLOCATED
190.X.X.X 3628220 21,63% LACNIC whois.lacnic.net ALLOCATED
191.X.X.X 1 0,00% Administered by LACNIC whois.lacnic.net LEGACY
192.X.X.X 180470 1,08% Administered by ARIN whois.arin.net LEGACY
193.X.X.X 627709 3,74% RIPE NCC whois.ripe.net ALLOCATED
194.X.X.X 526129 3,14% RIPE NCC whois.ripe.net ALLOCATED
195.X.X.X 899577 5,36% RIPE NCC whois.ripe.net ALLOCATED
196.X.X.X 230604 1,37% Administered by AFRINIC whois.afrinic.net LEGACY
197.X.X.X 348981 2,08% AFRINIC whois.afrinic.net ALLOCATED
198.X.X.X 499496 2,98% Administered by ARIN whois.arin.net LEGACY
199.X.X.X 448530 2,67% ARIN whois.arin.net ALLOCATED
200.X.X.X 1238090 7,38% LACNIC whois.lacnic.net ALLOCATED
201.X.X.X 2910652 17,35% LACNIC whois.lacnic.net ALLOCATED
202.X.X.X 850551 5,07% APNIC whois.apnic.net ALLOCATED
203.X.X.X 863842 5,15% APNIC whois.apnic.net ALLOCATED
204.X.X.X 506084 3,02% ARIN whois.arin.net ALLOCATED
205.X.X.X 255758 1,52% ARIN whois.arin.net ALLOCATED
206.X.X.X 436237 2,60% ARIN whois.arin.net ALLOCATED
207.X.X.X 718085 4,28% ARIN whois.arin.net ALLOCATED
208.X.X.X 935239 5,57% ARIN whois.arin.net ALLOCATED
209.X.X.X 941352 5,61% ARIN whois.arin.net ALLOCATED
210.X.X.X 892003 5,32% APNIC whois.apnic.net ALLOCATED
211.X.X.X 1475532 8,79% APNIC whois.apnic.net ALLOCATED
212.X.X.X 1285251 7,66% RIPE NCC whois.ripe.net ALLOCATED
213.X.X.X 1489497 8,88% RIPE NCC whois.ripe.net ALLOCATED
214.X.X.X 15 0,00% US-DOD LEGACY
215.X.X.X 0 0,00% US-DOD LEGACY
216.X.X.X 1391324 8,29% ARIN whois.arin.net ALLOCATED
217.X.X.X 1721029 10,26% RIPE NCC whois.ripe.net ALLOCATED
218.X.X.X 1859314 11,08% APNIC whois.apnic.net ALLOCATED
219.X.X.X 1634348 9,74% APNIC whois.apnic.net ALLOCATED
220.X.X.X 1714546 10,22% APNIC whois.apnic.net ALLOCATED
221.X.X.X 2076679 12,38% APNIC whois.apnic.net ALLOCATED
222.X.X.X 2484533 14,81% APNIC whois.apnic.net ALLOCATED
223.X.X.X 1803849 10,75% APNIC whois.apnic.net ALLOCATED
224.X.X.X 0 0,00% Multicast RESERVED
225.X.X.X 0 0,00% Multicast RESERVED
226.X.X.X 0 0,00% Multicast RESERVED
227.X.X.X 0 0,00% Multicast RESERVED
228.X.X.X 0 0,00% Multicast RESERVED
229.X.X.X 0 0,00% Multicast RESERVED
230.X.X.X 0 0,00% Multicast RESERVED
231.X.X.X 0 0,00% Multicast RESERVED
232.X.X.X 0 0,00% Multicast RESERVED
233.X.X.X 0 0,00% Multicast RESERVED
234.X.X.X 0 0,00% Multicast RESERVED
235.X.X.X 0 0,00% Multicast RESERVED
236.X.X.X 0 0,00% Multicast RESERVED
237.X.X.X 0 0,00% Multicast RESERVED
238.X.X.X 0 0,00% Multicast RESERVED
239.X.X.X 0 0,00% Multicast RESERVED
240.X.X.X 0 0,00% Future use RESERVED
241.X.X.X 0 0,00% Future use RESERVED
242.X.X.X 0 0,00% Future use RESERVED
243.X.X.X 0 0,00% Future use RESERVED
244.X.X.X 0 0,00% Future use RESERVED
245.X.X.X 0 0,00% Future use RESERVED
246.X.X.X 0 0,00% Future use RESERVED
247.X.X.X 0 0,00% Future use RESERVED
248.X.X.X 0 0,00% Future use RESERVED
249.X.X.X 0 0,00% Future use RESERVED
250.X.X.X 0 0,00% Future use RESERVED
251.X.X.X 0 0,00% Future use RESERVED
252.X.X.X 0 0,00% Future use RESERVED
253.X.X.X 0 0,00% Future use RESERVED
254.X.X.X 0 0,00% Future use RESERVED
255.X.X.X 0 0,00% Future use RESERVED

Grafically:

We need to keep in mind that we have scanned the entire address space without deleting reserved private addresses or networks. Obviously we see that the reserved addresses do not answer, which fits with what IANA says about the reserved networks.

We have also grouped the number of pongs that each /24 (class C) network has answered, so we can see the density level of IP addresses in these networks: From many C class networks did we receive 20 pongs?

Number of pongs answered Number of /24 networks
1 238877
2 138291
3 103826
4 84879
5 70612
6 68622
7 63042
8 62594
9 58333
10 55617
11 53531
12 52186
13 49189
14 47076
15 45662
16 44469
17 42722
18 41154
19 40506
20 41286
21 44013
22 39223
23 36442
24 35545
25 34471
26 33956
27 32876
28 32421
29 31634
30 31588
31 30484
32 30885
33 29614
34 29713
35 29065
36 28964
37 28204
38 28012
39 27586
40 27011
41 26751
42 26370
43 25801
44 25580
45 25302
46 25233
47 24642
48 24709
49 24396
50 24408
51 24086
52 24367
53 24158
54 24105
55 23730
56 23858
57 23725
58 23582
59 23626
60 23498
61 23583
62 23277
63 22940
64 22582
65 22202
66 22071
67 21547
68 21415
69 20912
70 20511
71 20155
72 19725
73 19194
74 18860
75 18930
76 18241
77 17725
78 17604
79 17134
80 17140
81 16573
82 16306
83 16177
84 15855
85 15660
86 15476
87 15457
88 15386
89 15039
90 14900
91 14802
92 14500
93 14100
94 14079
95 14019
96 13751
97 13409
98 13443
99 13240
100 13052
101 12727
102 12745
103 12143
104 12175
105 11793
106 11567
107 11502
108 11237
109 11088
110 10677
111 10621
112 10524
113 10353
114 10306
115 10048
116 9987
117 9798
118 9673
119 9747
120 9606
121 9398
122 9441
123 8991
124 9181
125 9095
126 8888
127 8556
128 8522
129 8406
130 8406
131 8267
132 8194
133 8252
134 8023
135 7910
136 7692
137 7643
138 7764
139 7566
140 7431
141 7403
142 7382
143 7512
144 7330
145 7261
146 7044
147 7078
148 7158
149 7210
150 6878
151 6941
152 6921
153 7072
154 6965
155 6919
156 6894
157 6909
158 7043
159 6816
160 6844
161 6892
162 6868
163 6958
164 6836
165 6905
166 6954
167 6917
168 7053
169 7005
170 6867
171 6931
172 6887
173 6849
174 6817
175 6781
176 6635
177 6630
178 6657
179 6514
180 6255
181 6310
182 6330
183 6134
184 5864
185 5680
186 5714
187 5559
188 5445
189 5415
190 5325
191 5211
192 5122
193 5110
194 4984
195 4939
196 4712
197 4549
198 4727
199 4582
200 4517
201 4550
202 4488
203 4442
204 4413
205 4210
206 4228
207 4182
208 4158
209 4137
210 4020
211 4013
212 3982
213 3941
214 3958
215 3978
216 3980
217 3924
218 3670
219 3690
220 3696
221 3620
222 3447
223 3483
224 3406
225 3387
226 3391
227 3193
228 3116
229 3233
230 3157
231 3123
232 3118
233 3278
234 3285
235 3430
236 3714
237 3922
238 4333
239 4594
240 5207
241 5740
242 6262
243 6736
244 7136
245 8169
246 9244
247 10536
248 11591
249 12330
250 12567
251 12092
252 9378
253 6096
254 3192
255 1481
256 467

Grafically:

We can see that many networks do not answer anything, mainly because they are reserved networks. Also, there are blocks with many IPs answering.

We have also performed the analysis on the least significant byte of the IP address, taking into account that we have treated them as if they were all normal IP addresses. It is clear that IP addresses finishing in .0 and .255 reply to the ping to a lesser amount. On the other hand we can also see that the IP ending in .1 is the one most answering the pings, because it usually corresponds to the router, and from there to inside the traffic is usually filtered. This can be seen by comparing the X% with the average. We see also some stripes corresponding to networks /25, /26, /27, etc.

Less significative byte of ip address Count of pongs
x.x.x.0 749789
x.x.x.1 2188704
x.x.x.2 1432608
x.x.x.3 1312164
x.x.x.4 1260519
x.x.x.5 1344259
x.x.x.6 1317523
x.x.x.7 1226345
x.x.x.8 1210025
x.x.x.9 1396354
x.x.x.10 1338214
x.x.x.11 1253251
x.x.x.12 1225913
x.x.x.13 1297186
x.x.x.14 1290901
x.x.x.15 1194033
x.x.x.16 1177008
x.x.x.17 1424293
x.x.x.18 1297307
x.x.x.19 1210971
x.x.x.20 1208820
x.x.x.21 1274382
x.x.x.22 1258630
x.x.x.23 1171451
x.x.x.24 1157615
x.x.x.25 1346065
x.x.x.26 1247689
x.x.x.27 1172728
x.x.x.28 1160244
x.x.x.29 1232213
x.x.x.30 1252088
x.x.x.31 1133193
x.x.x.32 1129206
x.x.x.33 1438811
x.x.x.34 1273545
x.x.x.35 1191265
x.x.x.36 1166209
x.x.x.37 1232786
x.x.x.38 1222823
x.x.x.39 1132063
x.x.x.40 1128406
x.x.x.41 1308812
x.x.x.42 1220378
x.x.x.43 1142863
x.x.x.44 1130136
x.x.x.45 1203766
x.x.x.46 1192938
x.x.x.47 1108922
x.x.x.48 1097390
x.x.x.49 1328159
x.x.x.50 1225132
x.x.x.51 1143527
x.x.x.52 1120597
x.x.x.53 1186295
x.x.x.54 1176274
x.x.x.55 1103437
x.x.x.56 1089146
x.x.x.57 1253521
x.x.x.58 1173048
x.x.x.59 1104981
x.x.x.60 1106008
x.x.x.61 1169959
x.x.x.62 1192879
x.x.x.63 1048740
x.x.x.64 1048258
x.x.x.65 1425598
x.x.x.66 1229128
x.x.x.67 1142903
x.x.x.68 1118736
x.x.x.69 1183038
x.x.x.70 1183928
x.x.x.71 1099966
x.x.x.72 1087771
x.x.x.73 1259314
x.x.x.74 1168810
x.x.x.75 1102380
x.x.x.76 1085211
x.x.x.77 1155721
x.x.x.78 1151672
x.x.x.79 1065110
x.x.x.80 1062766
x.x.x.81 1285575
x.x.x.82 1166756
x.x.x.83 1092135
x.x.x.84 1073821
x.x.x.85 1141621
x.x.x.86 1133532
x.x.x.87 1058285
x.x.x.88 1048255
x.x.x.89 1209209
x.x.x.90 1136792
x.x.x.91 1069963
x.x.x.92 1057058
x.x.x.93 1121637
x.x.x.94 1128962
x.x.x.95 1031653
x.x.x.96 1030381
x.x.x.97 1311889
x.x.x.98 1160407
x.x.x.99 1088350
x.x.x.100 1090587
x.x.x.101 1146524
x.x.x.102 1134417
x.x.x.103 1054936
x.x.x.104 1044601
x.x.x.105 1206107
x.x.x.106 1126080
x.x.x.107 1060212
x.x.x.108 1046358
x.x.x.109 1110790
x.x.x.110 1119034
x.x.x.111 1036203
x.x.x.112 1025151
x.x.x.113 1239712
x.x.x.114 1125907
x.x.x.115 1059326
x.x.x.116 1041760
x.x.x.117 1100008
x.x.x.118 1095607
x.x.x.119 1023199
x.x.x.120 1025290
x.x.x.121 1194711
x.x.x.122 1107546
x.x.x.123 1046629
x.x.x.124 1040910
x.x.x.125 1105172
x.x.x.126 1145872
x.x.x.127 985964
x.x.x.128 986104
x.x.x.129 1442315
x.x.x.130 1204525
x.x.x.131 1115891
x.x.x.132 1086213
x.x.x.133 1148537
x.x.x.134 1135487
x.x.x.135 1061941
x.x.x.136 1047919
x.x.x.137 1210584
x.x.x.138 1130277
x.x.x.139 1064659
x.x.x.140 1059272
x.x.x.141 1120880
x.x.x.142 1117912
x.x.x.143 1033455
x.x.x.144 1024556
x.x.x.145 1245701
x.x.x.146 1129222
x.x.x.147 1058225
x.x.x.148 1042170
x.x.x.149 1102226
x.x.x.150 1108112
x.x.x.151 1033029
x.x.x.152 1018604
x.x.x.153 1175163
x.x.x.154 1097739
x.x.x.155 1038438
x.x.x.156 1023688
x.x.x.157 1086790
x.x.x.158 1095228
x.x.x.159 996251
x.x.x.160 1001094
x.x.x.161 1276329
x.x.x.162 1128019
x.x.x.163 1050767
x.x.x.164 1031524
x.x.x.165 1092194
x.x.x.166 1086726
x.x.x.167 1013206
x.x.x.168 1002480
x.x.x.169 1166589
x.x.x.170 1087625
x.x.x.171 1023086
x.x.x.172 1007972
x.x.x.173 1071052
x.x.x.174 1072040
x.x.x.175 993387
x.x.x.176 983700
x.x.x.177 1193184
x.x.x.178 1081461
x.x.x.179 1014492
x.x.x.180 1007535
x.x.x.181 1063379
x.x.x.182 1056237
x.x.x.183 986611
x.x.x.184 974867
x.x.x.185 1130743
x.x.x.186 1054739
x.x.x.187 993950
x.x.x.188 988367
x.x.x.189 1047415
x.x.x.190 1076031
x.x.x.191 948336
x.x.x.192 946319
x.x.x.193 1293959
x.x.x.194 1108300
x.x.x.195 1036982
x.x.x.196 1012541
x.x.x.197 1070404
x.x.x.198 1062760
x.x.x.199 994345
x.x.x.200 1000985
x.x.x.201 1150214
x.x.x.202 1070547
x.x.x.203 1005395
x.x.x.204 990207
x.x.x.205 1055065
x.x.x.206 1053152
x.x.x.207 973577
x.x.x.208 964460
x.x.x.209 1173406
x.x.x.210 1070650
x.x.x.211 1002023
x.x.x.212 983619
x.x.x.213 1039752
x.x.x.214 1035196
x.x.x.215 969089
x.x.x.216 957765
x.x.x.217 1115906
x.x.x.218 1035071
x.x.x.219 972473
x.x.x.220 971376
x.x.x.221 1027993
x.x.x.222 1039586
x.x.x.223 943255
x.x.x.224 942572
x.x.x.225 1214697
x.x.x.226 1067487
x.x.x.227 995786
x.x.x.228 978545
x.x.x.229 1036333
x.x.x.230 1039868
x.x.x.231 973194
x.x.x.232 962046
x.x.x.233 1112893
x.x.x.234 1036105
x.x.x.235 976903
x.x.x.236 964068
x.x.x.237 1024653
x.x.x.238 1025546
x.x.x.239 948607
x.x.x.240 948034
x.x.x.241 1157102
x.x.x.242 1046467
x.x.x.243 977487
x.x.x.244 962750
x.x.x.245 1017034
x.x.x.246 1011215
x.x.x.247 948181
x.x.x.248 944969
x.x.x.249 1108805
x.x.x.250 1039464
x.x.x.251 995880
x.x.x.252 981302
x.x.x.253 1024893
x.x.x.254 1226421
x.x.x.255 679518

Grafically:

Obviously from the number of answers it is not possible to draw conclusions about the density of IP population, as they may be conveniently filtered.

The % of IP addresses answering to ping seems reasonable, given that it is logical that the external equipment answers to this protocol to aid troubleshooting. It is also normal that many others do not answer, but in any case IPv4 does not appear to be so saturated as usually it is said.

This experiment is a proof of concept of how easy it is to make a global action against all Internet, with almost no cost, short time and basic knowledge. We can see that it would be possible to scan a TCP port, or even do some intrusion attack globally (always stateless), for which any UDP attack could be very effective (as it did with slammer). In any case these actions are and would be considered as attacks, so as expected we will not go further and evolve this project.

Probed that IPv4 is really small, we have another argument to answer the usual question: Why would somebody want to attack me? With IPv6, the attack vector is many orders of magnitude higher, preventing scans “so brute”.

Curiously, we did not have any counter response, or received hostile activity in response. However, we were receiving traffic from a server that sent us the pong for hours continuously and repeatedly (DUP!), we think that due to a IP error that we could not determine.

Although the experiment has been the most innocuous and harmless we could thought about, during the experiment we have received some complaints from organizations related to the the scan. However, taking into account the number of “attacked” sites, the complaints have been few and the hosting provider that received the pings acted in any case time communicating the complaint after the end of the experiment, which shows that such a global attack would be really unstoppable.

With the extracted data more interesting analysis can be done, that we leave for next entries, such as the issue with network and broadcast addresses (.0 and .255). I hope you liked the experiment, and in any case I apologize if I annoyed you with my ping.

How much does it take to ping the whole Internet?

(Check the result of this experiment in the second part of this post: The result of pinging all the Internet IP addresses)

Internet, the World Wide Web. All modern organizations in the world are connected to the Internet. A large number of people have Internet access, at work, in the homes and on the mobile device.

This can make us think we’re talking about a vast range of addresses within which attackers can focus their attacks in a given organization. For now we will take the entire Internet address space of IPv4. When deployed IPv6, this will change and there will be an added level of complexity.

Let’s suposse we want to carry action against all the Internet addresses? Would it be viable? How much would it cost? Technical resources? Physical resources? Time? Money? Let’s do some maths and maybe then do a little experiment. To begin, we assume the following scenario:

  • We want to do a ping (ICMP ECHO) to each and every one of the Internet IP addresses.
  • We store the result of whether they have responded to ping or not (if they have made pong).

Here are some calculations:

How many IP addresses are there?

256^4 = 4,294,967,296, i.e. approx. 4 billion addresses.

How much bandwidth is consumed by a ping?

  • In our case we will consider as 58 bytes per ping.
  • Let the bandwidth necessary to ping all the Internet: 256^4 * 58 bytes = 232 GB.

If we store the response with only one bit per address it would take 512 MB. If for processing convenience we store one byte per response it would take 4GB.

Considering a bandwidth of 50 Mbit/sec we would finish the scan in approx. 10 hours.

Technical skills required: We need a program with two threads: one that continuously send packets blindly, and another that receives responses in a stateless manner (there is similar software for TCP scans called scanrand).

Technical capacity: Any person with some knowledge of sockets in C, looking at ping.c, could do this program.

Power required: With an average PC is more than enough. In our experiments we have done it without problems with a Dual-Core 2.66Ghz 4GB of RAM and a 100Mbits internet connection.

Cost of equipment and connection: In any known hoster it can cost 30 EUR per month. In server usage percentage it would be 0.42€.

So anyone with knowledge in C programming and 30 Euros can make a massive, global action to all Internet addresses in less than 10 hours. Another example that just by being connected to the Internet you can receive an attack (spanish link). In the history of Internet there have been many worms that have indiscriminately attacked all the Internet addresses. The networks of today and the power equipment can turn local problems into global incidents within minutes. A famous example of this was the SQL Slammer worm that in just under 10 minutes got Internet crashed, taking advantage of a vulnerability attacked with a single UDP packet of 376 bytes.

So, it is clear that the Internet is a very, very small place, and you have to be really well protected. As seen, just being on the Internet makes you an indirect target of global and automated attacks. And not being on the Internet is no longer an option.

In the next post we will see the result of implementing this theoretical exercise. To do so, we decided to make a simple and benign ping against all Internet IP addresses. While it is true that a ping can be the first step to a more sophisticated attack, this is not (obviously) the intention of this experiment. Furthermore, that ping can show us the filtering level or the population level of Internet IP ranges what may have some academic interest.

Do not miss the next post where we will describe the results of the experiment. What technical problems we encountered ? How many pongs we received? And complaints? Any counterattack? What networks do answer more?