Internet Census 2012Conducted a port scan of all IPv4-addresses using a botnet of the routers

The results of the ambitious project of Internet Census 2012, aimed at a complete scan of all ports for IPv4-addresses on the Internet.

Scanning is done from March to December 2012 with the use of a botnet, which was built on the basis of vulnerable routers. As a result, managed to collect the most comprehensive in the history of statistics on active hosts and distribution network ports on the Internet.

To download a complete archive is available to all the collected data (565 GB with compression ZPAQ, gzip archive is 1.5TB), a compilation of reports summary statistics on the distribution of services and a set of images with a visual representation of the address allocation by country and subnets. Particularly interesting visualization of changes in the IP access by time of day and an interactive map that allows you to use standard filters, and can be scaled for larger drill down to the selected providers subnets.

A prerequisite for a full scan of all IPv4-address range served previously conducted experiments to automate port scanning with Nmap to use the package and available engine in it NSE (Nmap Scripting Engine), allowing to automate the execution of any actions on scanning and accumulation of results. As a result of earlier experiments revealed that the network abounds vulnerable embedded devices, many of which are equipped with a standard Linux-environment with BusyBox and open access by the factory password-protected or not (empty or trivial passwords, type root: root and admin: admin).

Just found about 420 thousand of these unprotected devices on which the botnet was created, carried out during 10 months of tasks to distributed scanning network ports. Since the project used illegal methods, the researchers did not disclose their names and act anonymously. However, it is stated that in the course of the experiment, none of the hacked device is not affected (the configuration has not been changed, industrial systems and routers provider pass), the effect of scanning was kept to a minimum (using low intensity scans – 10 IP per second), and botnet after scanning has been eliminated. Along with the download to the device file, scan, delivered a text file describing the nature of the project and email to communicate.

Among performed for each IP-address checks included assessing the availability of the most commonly used ports, ICMP ping, DNS-records request for the IP and the SYN-scan. Scanning was conducted within the backup mode to accumulate statistics section and time accounting systems included only for the period. The result has been accumulated:

– about 9 TB of data, including information about 52 billion checks a ICMP ping;

– 10.5 billion DNS-entries;

–  180 billion records of network ports;

– 2.8 billion SYN-scanning parameters for IP 660 million and 71 billion tested network ports;

– 80 million checks casts TCP / IP;

– 75 million IP ID-sequences;

– 68000000 trace route (traceroute).


– All data collected during the Internet Census 2012 is available for download

Interactive map