Scanning the Internet in under 5 minutes, on a budget (Daniel Roethlisberger)
| August 15th, 2024Level: Advanced Subject Matter
Abstract:
After a brief intro to Internet-scale scanning and how it differs from smaller-scale scanning that you might do on a pentest or red team engagement, I’ll touch upon network aspects impacting scan performance and then dive into the nitty-gritty of systems aspects, like how to get packets from userspace onto the wire and back at very high packet rates, and other key aspects of Internet-scale scanning, such as how statelessness and reproducibility are achieved with cyclic groups and cryptographic validation, or how IP address blocklists are implemented efficiently. With ZMap on cheap hardware as an example, we’ll breeze through how to root cause performance bottlenecks by stack sampling and explain the handful of improvements that were needed to bring performance to the expected theoretical maximum scan rate, achieving the popular claim of scanning the Internet in under 5 minutes.
Bio:
Daniel is a cyber defence practitioner leading Swisscom’s detection engineering, threat intel and red teaming efforts. Previously, he was a software engineer with Apple’s SEAR working on XNU and security APIs, and has defended Swiss national critical infrastructure with different CSIRTs. He is a part-time university lecturer, a board member of DEFCON Switzerland, and has published with The Citizen Lab as well as on Slovene anthropology. Over time, Daniel has contributed to numerous open source projects, including to both Nmap and ZMap.
Video/recordings
[ Slides (PDF) ]