GF - Who Watches the Watchers?: Understanding the Internet's Background Noise - Curt Barnard

all right good afternoon everybody I'm kerb Barnard and yeah I'm pretending on who watches the Watchers and understanding the Internet background noise so real quick just to tell you a little bit about myself I'm Kurt I started a company and moved on to a Silva full-time I'm a one-handed sailor people think a living on a boat looks a little bit like something on the left but it's a little bit more like something on the right people like to call it fixing your boat in exotic locations and it feels that way sometimes I often refer to my boat as my mobile offshore computer network exploitation platform I like to tell people I seek international waters to

cover my bases but to tell you about what we're going to talk about today I'm gonna talk about internet mapping or Internet cartography I'm gonna start out with that and kind of go into detail about about mapping in general and mapping of the internet I'm gonna talk about some neat tcp/ip stuff maybe it's neat I don't know and I'm going to talk about mapping tools technologies and websites and actors and who's doing it and why and I'm gonna go into talking about the background noise of the internet then I'm gonna demo a tool that lets you listen to the internet background noise there's gonna be a QR code at some point so you can actually

go to the link so get ready for that but yeah so I'm gonna talk about internet cartography and the fact that people love internet Maps for some reason that doesn't make a whole lot of sense to me and we're gonna talk about why that does or doesn't make sense but to get started I want to talk about like regular Maps for a minute this is like the standard world map from the CIA Factbook it's primarily like geopolitical so you know where the countries are there's some high-level topology of the oceans and mountain peaks and things like that but I want to spend a little bit of time talking about like why people make maps and for what

purpose and like what questions that they answer so some of the earliest maps looked a little bit like this so on the Left it's a celestial map from 1670 so primarily these were used for now the gauge it was the first really form of navigation with celestial navigation and to make inferences about the changing of the seasons it was kind of the best way to do that this map doesn't look like our star maps today because there's like lizards on it because that's what made sense for the people back then and on the right this is a map of the known world in 1482 they thought it was very important to have people blowing at the

corners of their maps so they included those in their maps maybe you would not see that today but this was kind of it existed in a place in time and this was the known world and also of course you notice that there's a huge missing chunk of the planet which got bumped into later which is where we are today so if you're planning a trip to old Las Vegas and you wanted to kind of decide where you are gonna go or what you were gonna see you might actually use a map like this that kind of shows you like what the attractions are of old downtown Vegas you probably wouldn't use this to actually navigate unless you're one of

those psychos that uses landmark navigation in which case you would use this map but really it's just to give you a rough idea of like scale and relationship of features that exist there is a crossroad that you can see is kind of like an anchor point but this is something that you would use to maybe figure out like what you want to do and see when you come to Vegas but you probably wouldn't use this map to figure out how to get there you all probably use something like this to figure out how to get there which is what we used to figure out how to get to the hotel and this is what everybody uses day to

day but is primarily for navigation purposes although there's a lot of sort of landmark finding in this now but actually want to take a little bit of time and talk about the maps and navigation aids that you use when you're sailing and so hopefully some of this is new to you but I think it's a little interesting to make some comparisons to internet mapping technology so I'm going to talk about nautical charts first for a moment so nautical charts contain aids to navigation and hazards to navigation there's a really interesting thing that I learned when I started sailing which is that the bottom of bodies of water are not static in fact it's quite the

opposite they're moving and shifting all the time and so in order to actually get this data either NOAA or the Coast Guard kind of depending on where you're at well actually go out and I'll do sonar soundings of the floor and they'll kind of paint the ocean floor and they'll create these maps that have these contour lines but they have to be updated kind of all the time so for example when we were down going through Florida due to the recent hurricanes and went through Florida all the maps were wrong and everything was totally different and if your boat goes six feet underwater like ours do you can run aground if you're not careful that's not

good so you have to pay very close attention and they actually have to send boats out to do soundings of the ocean floor to update these maps and if you're using paper maps you have to buy the new ones it's kind of pain but one thing that you might see on here are these red and green and there's some yellow and black markers on here these are called aids to navigation and their buoys that mark generally where they dredge and what the safe parts of the water are to travel through and so this kind of brings us to our our second aid is the buoy so the buoys actually have to get updated like kind of regularly so the

Coast Guard will go dragged buoys around to mark moving shoals and so really you have to use the nautical charts to tell you roughly where you're gonna go and what buoys to look at and then you have buoys that get moved around on a on a weekly or monthly basis based on shifting shoals but those are what you actually need to pay attention to that's that's what's gonna tell you if you're gonna hit the ground or not and then a totally different vane you have these things called piloting charts which are managed by nga that show trends in oceanographic weather over time and so what you're actually looking at here these the little blue kind of weather

vane looking things show the prevailing winds and how often they are out of which direction and how strong they are and how many days are calm average over a thirty day period so I think this is for the month of September and so every single month there's a different chart but from piloting chart it's gonna show you kind of what the general conditions are gonna be like so I'm a chart like this you're gonna use to say if it's the month of September and I want to go from Charleston to Miami what kind of conditions can I expect it also shows wave heights but these are over long periods of time these are like averages over like 30

years these don't really get updated very much and when they do it's kind of minut changes it's not it's not really strong changes but but these are updated pretty pretty infrequently oh my gosh what happened yeah so the mga actually owns these charts and then you have maps that come out or weather forecasts that come out of the National Hurricane Center so this is hurricane Hector which is pretty relevant today but this is gonna inform folks that are making like national level policy and planning disaster relief and organizing FEMA and saying hey what do we do to help the people that are going to be in the path of this hurricane and yeah you might use

it to figure out that you're not gonna have a picnic on Friday but that's not the primary purpose of something like this and then you have pretty standard weather map so this is what you use when you sail but you might go to weather calm or weather gov but this is showing the prevailing winds that's gonna give you the current up to the date information on what the winds are doing and if there's rain like right now so it answers questions like am I gonna need a jacket or an umbrella is it windy enough to go sailing things like that so I don't want to pick on the Department of Homeland Security because they have a

very very hard job but I do want to talk about some of the things they've done and some of them that I think are kind of funny so there's this piece of legislation that came out in 2015 called the cybersecurity information sharing act and it kind of spurred this conversation at the Department of Homeland Security and kind of spawned this conversation on what they call a cyber weather map and their goal was kind of to have the types of maps that I just showed you that apply to cyberspace at like a national level and it's the the DHS like in a really tough position because I have a very hard problem to like defend like cyberspace like of the United

States on like a national level so I'm giving them a little bit of slack here but at least in their defense they came up with some very specific questions that they hope to cyber weather map would answer such as are we I don't know who he is are we under attack who is attacking I also don't really know what that means in this context what are the consequences that's pretty good and what are the next targets I think that's a little optimistic but and then I want to quote the deputy former Deputy Secretary for cyber security I put this quote in comics and on purpose and this was outcome of cisa where she says things

like in English it means that the threat indicators that show you what might be good and bad in cyber and away with all the privacy civil liberty civil liberties expertise collect them in one place I'll let you read the rest of it I won't read it to you but these are kind of the quotes that we have unfortunately come to expect out of policymakers and in cybersecurity and what actually came out of that I'm gonna show you a slide from her presentation at the RSA conference in 2016 where she kind of showed what she thought that looked like and it's a slide that kind of looks like this which I think all of us have

probably seen something that sort of looks like this there's a bunch of dots and they're all red and they're all geo-located and I have no idea what they means there's a word cloud down here that says DNS so that's I guess neat but I don't know how many dashboards that I have looked at they look like this and if you remember those four questions that they said that they thought they were answering I don't know which one of these gets answered by it like is answered but for me at 0 but what this actually looks like honestly is a little bit more of like a Hurricane Center map than like a weather map that like the average person is going to want

to pay attention to they might say hey you know we have you know X number of vulnerable IOT devices we might need to add a national level prepare for something right that's gonna come out of some sort of IOT attack but certainly I wouldn't expect my mother to look at this map and decide that like ooh I need to be really careful about fishing today so and I'm not really sure that there's a map like that that exists like for the average like normal like consumer of computing technology I will say valiant effort but I don't personally don't really get it but a big thing that I've always questioned when I see maps like this is how useful the actual

geolocation data is and so I've a saying that I like to throw around if you guys have heard like the cloud is just someone else's computer if you've heard that before I like to say geoip data is pretty much just Mac's mind or NuStar so it's like the two people that provide these data sets and everybody just like compares the two so really the geoip stuff is just straight out of these two data sets like 99% of the time so I want to talk for a minute about a cool ipv4 stuff and this is cool if you're into like like governance and stuff so I'm going to talk about I can for a minute which is really sexy topic for b-sides

but I just want to talk about a little bit about like like ipv4 like a really high level and how like high level organizations like conceptualize ipv4 so you guys know or probably have heard of ICANN which like ostensibly is like the governing body for the internet like that's probably what you've heard about it which was kind of like internationalized in like I guess like 2015 or something like that control was kind of taken away from the United States and it was a multi organizational organization I guess but pretty much they're responsible for DNS IP address allocation and like name disputes they're the ones that get to decide whether dot sucks can be a valid TLD or

not and they decided that a can I guess and then I Anna if you've heard of I Anna this is the og responsible authority for delegating ipv4 addresses and ipv4 networks they actually predated I can but have now been reorg under I can but they still do the same thing I guess so they're responsible for internet numbers and DNS management except they delegate it further to the regional internet registries that are responsible for auditioning these out to organizations within their areas of responsibility which looks strikingly like oh I'm losing my connection here there we go which looks strikingly like the United States Department of Defense areas of responsibility for the unified combatant commands not that they're related in any

way I just thought it was funny and we were talking about maps and then they created this thing called the NRO which is actually not the National Reconnaissance Agency but the numbers resource organization which is tasked with protecting unallocated ipv4 addresses being central input for the our IRS it sounds like everybody's just kind of like punting to somebody else and then they created this thing called the ASO which provides input back into I can so you have this weird like circle of pain that doesn't really make any sense to me maybe it makes more sense to somebody else but they get to do things like have really sexy conferences about the Whois database so that's pretty much

what they do and so just real quick reports of IPA for exhaustion have been greatly exaggerated greatly is kind of a misnomer but this depends totally on who you ask whether or not there are still ipv4 addresses so when people say like we're out of ipv4 addresses that means that all be like assignable Network blocks have more or less been allocated like all these IP addresses they're not like actively being used by computers right now so there's a big difference and actually if you go to the ripe NCC z-- website and look at their reports on ipv4 exhaust you and they actually have IP addresses still in the free pool in like a single flash aid but what's kind of

interesting here is if you look at the it's supposed to be dark blue but it looks black line at the top these are reclaimed ipv4 addresses and they do this interesting thing where they like kind of ask network owners to like return ipv4 addresses back to them and they put them in this cool off period where they sit for like a full year before they can be used again because they want to make sure that they're not actually being routed because ipv4 routing is like way more democratized than people like to think it's not like a fixed way that these packets get routed so they put them like kind of in a timeout box for like a year to make

sure that they're not getting routed anymore but like you can still send packets like to those IP addresses and they'll still go somewhere they'll just eventually like not get routed where you expected them to go and then some like interesting statistics about how IP addresses are allocated the United States that's like a whopping like 34 percent of all existing ipv4 addresses and that's only above the bogans which are like non-routable IP addresses so these are the one two 7s and the ten dots of the world so the united states are the only country that has more IP addresses than non-routable IP addresses that exist in ipv4 space where nothing is kind of funny but since

these IP addresses have been like unravel for so long you can't like make them routable like you can't like change the RFC and make them routable because you'd like break everything that has been made ever since ipv4 existed and right behind them is China Japan and the United Kingdom but IP allocations like per capita the Holy See comes in at a shocking number one because they only have about 800 people it's like a it's like a it's like a Catholic nation-state basically it's not the Vatican but yeah it's like 21 it's like 21ip addresses like per person so good on them and then Scandinavia come in and strong so real quick just to talk about like how many IP addresses

there are we talked about Gon's real quick but most of you know the 10 dots than the 170 2.6 teens to 172 31 and the 192 dot 168 I didn't maybe I was just stupid button nose back in the day like all 127 prefixes go back to the local host adapter so I have a lot of fun like putting in my hosts file like a bunch of fake DNS names so like when I'm testing stuff instead of using like 80 80 and then 80 81 and 80 82 I just bind it on like one two seven zero zero two and one two seven zero zero three instead and it's like a little bit cleaner but you can route all of those

one to seven addresses to your to your loopback interface which is kind of cool and zero dot anything is just totally not routable so what-what you end up with is actually a number of IP addresses that is a lot lower than two to the 32 which is like what most people say so when you talk about scanning all IP addresses on the Internet you're not actually talking about to the 32 you're talking about a number that's much less than that but still very large and there are also tons of like known IP blocks and I mean there's like a Wikipedia page about who owns all these slash eights like you can go there today the DoD owns like 10 for like no good

reason they just have a huge number of them and they don't use like any of them but also there's some interest interesting stuff like AWS has large published net blocks that you can see so if somebody is like hey I want to scan every node in ec2 you just go here fetch all the cider blocks and then you can scan them all and see what everybody's running in AWS ec2 and there's a really interesting component of that with AWS and the cloud providers in particular because if you remember I talked about how the RIR is use a one-year cooldown period to make sure that IP addresses aren't getting routed anywhere else before they get reused not so when

you're getting an IP address from AWS there's no cool left period and so as soon as you use that you're getting kind of dead traffic that was intended for the hosts that came before you and that's really interesting and that's what we're going to talk about here in a minute GCP Google cloud platform has the same thing although it actually requires you to like run a nslookup on a txt record or something like that so you all probably know the highest tcp port is 65535 which is not a power of two and that's because of course like zero is counted but I didn't know this before I started making this talk you can actually use port 0 like port 0 is a

real valid TCP port you can't connect to it using the bind function because the bind function like just makes it a random ephemeral port but if you override the bind function you can actually create sockets on port 0 I had no idea I thought that was mind blowing when I learned that but the well-known ports are below 1024 so those are like static services that are that are established and then of course everything up to 65535 are the ephemeral ports but to do a TCP syn and like see if a port is open and get a syn ACK back it's gonna take 40 bytes that's what you'll need to send out of your network and that's what I'll get returned to use

about 40 bytes for UDP it's the exact same thing except UDP smaller so it's only 28 bytes so I want to talk about the Bant like the bandwidth required to scan ipv4 so I'm talking about a reduced IP space like we talked about we're getting rid of the bogans and the unravels and things like that so just like from a bandwidth standpoint alone if you wanted to scan for one port on all tcp/ip v4 addresses that are routable it's gonna take 85 gigs of data transfer and if you're using AWS ec2 pricing it's gonna cost you about 12 bucks if you do 10 ports it's about eight hundred and fifty gigabytes it's gonna cost you one hundred and thirty

bucks if you want to do all 1024 ports it's gonna cost you twelve thousand bucks plus UDP one port the very gratifying $7.99 I didn't make that up it's actually $7.99 on the nose and so it's a little bit less for UDP because the size is so much smaller and then if you were to scan if you were to scan twice a week for a year and store that in s3 this is what your cost would be so it's actually really cheap to store and s3 is really cheap but for a year of scan data twice a week you end up at 10:28 per month which actually isn't too bad so I'm gonna talk about why we're

not going to talk about ipv6 people exaggerate the size of ipv6 but only like barely to be like practical so like theoretically it's 2 to the 128th which is that number there which I have no idea how to pronounce not all the blocks have been allocated so all ipv4 blocks have been allocated so you used to be able to do firewall ingress filtering based on unallocated ipv4 blocks but I Anna advised to not do that back in 2012 because all this blocks have been assigned you can still do that with the blocks that have been like reclaimed and are in the cool out period but not reassigned but the number of blocks is so small it doesn't make sense this too

much overhead both ipv6 you can do that because not all the ipv6 networks have been handed out and you can tell which ones have been assigned and which ones haven't ipv6 carriers also typically use this thing that is abbreviated slack and basically what it means is a bunch of the bits in your ipv6 address or actually set to your MAC address by default and so the only host that will be on your network have an actual valid MAC address and the way that MAC addresses are designed there's like fixed prefixes based on the vendors that make network cards so you can actually drastically reduce the number of of IP addresses that you'd have to scan for

based on what the valid MAC address prefixes are because most people use slack and so if you use some of these tricks you can reduce the number of bits in a / 48 subnet to 41 but that's actually still crazy so / so so going for a single / 48 scanning single / 48 with masscan which says it does 10 million I piece per second would take you two and a half days but there's like two to the 78 of these so and if you look at the cost here the cost of scanning a slash 48 is like $11,000 so doing that to to the 78 times it's just not going to happen so there's some really

interesting tricks that people have done to collect valid ipv6 addresses I mean you can scan for DNS plot a records that are gonna have ipv6 addresses in it although you're only gonna find ipv6 addresses that people want you to find showed an did something really interesting and slightly controversial where they actually created a network time protocol server that they added to the default pool of NTP servers for a bunch of IOT devices and IOT devices tend to use ipv6 and so they would actually reach out and try to get the time updated and so they would collect ipv6 addresses from these IOT devices that were checking to get the current time it was very clever and they got

banned kind of hard from the NTP pool because you're not supposed to do that but it made for some interesting reads on on the forums there's a couple other things I want to talk about real quick so this has to do mostly with passive OS fingerprinting I don't know if you guys have heard of a tool called pop before p0f but it is a tool that lets you figure out what the operating system is of a host that's connecting to you based on a network packet metadata and I'm gonna talk about two metadata fields that they used to do that one of these is a ephemeral port selection so we talked about 1024 ports on or 1024 are

kind of static but ones above that they're called ephemeral meaning they get used by the operating system unlike outbound connections but how those ephemeral ports actually get selected by the operating system depends on what the operating system is so for example FreeBSD the ephemeral port range doesn't start until 10,000 on Microsoft Server 2003 it starts at 1024 and only goes to 5,000 so if you had a packet come in and the source port was for 999 you would know that it could be Microsoft Server 2003 but it could not be FreeBSD and so using a number of different techniques that are kind of like this you can figure out what the operating system is so another example

is going to be TTL or time-to-live which is the field that determines like how many hops a packet can take before it it gets terminated by the router and doesn't get routed any further and so TTL initial like initial TTL selection is again different based on the operating system so Solaris just went ham and made it 255 as big as it could possibly be but some of them are I mean as low as like 30 which is pretty low but actually in reality that's pretty sufficient for how many hops like most servers are away and UDP on some of them is smaller I don't really know why the only thing I can imagine is that like if

you're using UDP you need it to be like kind of fast anyway so you might as well just drop the TTL because if it's more than 30 hops away like you're kind of not really in a UDP situation anyway but I don't know that's kind of just I guess ok so I'm gonna talk about like who scans the Internet and ostensibly why they do it so I talked about showdown a little bit I don't know if you guys have heard of showed an probably but they became really popular when they started showing that all these industrial control systems were connected to the Internet and basically they made a search engine where you could search for

like HTTP headers and find all these machines that are connected to the Internet so they call themselves a search engine for Internet connected device devices they primarily do port scans and banner grabs they have an API and web interface and if you look at their website some of the things that are kind of interesting is they say that they're useful for market intelligence so like if you wanted to know like if Argentina is replacing Cisco switches with Huawei switches or something like that's kind of the the play that they pitch there so census was actually a project that was run out of the university of michigan by the authors of z map and z grab and we'll talk about

that just a little bit in a second but they recently turned into a company they're pretty much the same type of thing as sure-tan they had some certificate metadata in there as well but they used to be run from a site called scans the i/o and it was all free they still have a bunch of free datasets but they don't have like a paid API and stuff as well then there's this group called shadow server I don't know if you guys have heard of shadows I don't I don't know if people know shadow server but basically I would have never heard of them if I wasn't like running Reverse Deana reverse DNS lookups on stuff that I was seeing but basically

they're a nonprofit organization they're kind of ideologically motivated volunteer-run they do a ton of stuff but one of the things they do is they scan ipv4 at like regular intervals but they track botnets and run honey pots and do sinkholes and a bunch of stuff but these are folks that will scan all of ipv4 space like all the time just like sure dan and census rapid7 also has a project called project sonar they're publicly available datasets they do a lot of things like scanning ipv4 doing HTTPS grabs they have some honeypot data sets and things like that but you can go to their website and download these free open data sets as well and then like

there's these guys USCIS I ant lab again I would have never found them but they have like our DNS queries which kind of gives them away but they're just a university research lab they seem to have like grants from like DHS and NSF but it's mostly for their like graduate like information Studies program but they primarily are just doing like ICMP so just pinging all of ipv4 and they've been doing it since like 2003 which is kind of a while and then the og internet scanners are net crafts and they've been doing this since like 87 or something and I had never heard of them until like running our DNS query so I would have

never known but they kind of pitch themselves is like cybercrime disruption and there's this like kind of tiny shop and like Bath England and they've just like been doing this forever they have like probably the biggest data set although it's not exactly publicly available but they give you like some graphs and dashboards and stuff but they also do SSL surveys they talk about providing services that tell you if companies are migrating there hosting providers so like they'll say hey this this guy used to be on like I don't know Go Daddy's hosting provider another on Squarespace or something I don't know but they talk about like migrating from from provider to provider and they say that they do due diligence

for hosting investments and acquisitions which feels really really niche to me but I guess they make money off of it so good for them so some other rad internet directories so these are not like internet scanners necessarily but there's this site called Whois ology where you can actually look up a domain name and then it brings up all the metadata before that so I did a look up for b-sides Las Vegas at work so of course jack daniel´s put his registration in there and you can see the other kind of name squatted domains that were registered by this email address but you can do it by phone number and like street address and so people that are not very tech savvy that

put in like their real home address and doing private registrations like you can find like all the websites that they've ever registered this way which is kind of interesting nerdy data pitches themselves as the source code scanner or the source code search engine for the web so in this case I did a search for the queen hive like Bitcoin miner that people are putting on their websites and you can find like a list of sites that have this crypto miner on it that they that they have scanned there's a really cool tool called whop Eliezer that lets you identify different technologies that are running on a web property it's a gplv3 tool so you don't actually

have to use our website you can like run it yourself which is kind of cool and then there's a cyclic common crawl which they're a nonprofit organization that crawls all of ipv4 or not all of its a the alexa top like 10 million or whatever and they crawl all their websites and they put them in one place basically saying we crawl the web so you don't have to and I think is a great idea because everybody feels like they need to be the one that makes a crawler so a really quick timeline of of like some scanning technology in like history so like like I said net crafts like kind of the OG in 87 so if you know somebody

that was doing it before net crafts like tell me because I want to talk to him in the netcat the Swiss Army knife of networking was like 95 and map was in 97 featured in the matrix I might add in map and then Zen map featured in The Bourne Identity they have very good PR people I guess and then sure Dan came around in like 2009 shadows server oh that's a to order got started in 2004 then Z map and Z grab was in 2013 in 2015 and then math scan was published in 2013 which had its own like its own like network stack which let it scan like 10 million IP addresses per second which is

enough to melt your own network but not the network that you're scanning so and then census just kind of came out in 2015 scans i/o was out a little bit before that okay so like there's a ton of internet background noise and it's sort of just the cost of doing business especially if you're running any infrastructure in a VPS provider so like AWS as soon as you kick off an instance you're just getting slammed with network traffic whether you actually see it or not a lot of times it's on non-standard ports but with my company we actually both a tool that like analyzes that background noise so we just like to listen forward all the background noise

looks like in those VPS providers and I wrote a tool that I collected some data on and the data was super uninteresting because I was going to present it and then it just like wasn't interesting but I'll tell you about it and I'm gonna open-source it like right after this talk so maybe you guys can help me make it interesting data I don't know but basically I look to see who's scanning what ports on what VPS providers and real quick tour since we are like talking about port 0 so that this is like a graph in Cabana of all the port scanning activity that's scanning for things on TCP port 0 and there's actually the source is like 50

percent it's this like Russian IP address for some like Russian telecom single IP address which is kind of interesting to me it's called Russia IT deluxe so that's cool yeah so I wrote this custom sensor and basically it's just like a little flask app it's like a little webserver and the intention was to try to feed a bunch of like like like feed some data to people that were scanning HTTP servers to see if they would like crawl links and if they would crawl links were they going like depth-first or breadth-first see if they were like execute JavaScript and if they would execute JavaScript I send them a monaro like Bitcoin miner to see if they'll

crack some hashes for me they won't but I thought I would give it a try and basically I was going to build this to try to characterize what different tools do oh the other thing it does is whether or not no matter what resource is requested it always sends a 200 ok response and it just sends ok as the words and so there are a lot of tools that like will abort if the resource is in there so for example if they're trying to like brute force your login script if log in CGI returns 404 they're gonna stop but if you return 200 they might keep going except that's not actually what I found but in any case so

you can check this out I just open sourced it it should be public now so if you want to contribute and like add some tests that might produce more interesting data than what I actually had that'd be cool yeah so this is yeah this is just shows that data streaming again into elasticsearch and kibana but it wasn't very interesting so what I'm gonna show you though is the system that I use to generate this data it's live streams port scans back to a central location in real time and I just set up this little interface that converts the destination port numbers into music and kind of like just sends it to your browser so I'm gonna show that real fast

but you can check that QR code and it will come up it doesn't work on iPhone and I don't care oh I'm not on the internet so it's not gonna work but I'll bring it up but that's all my slides other than if anybody has questions so I'll just bring it up while you guys ask questions do you have any

yeah yeah other stuff that I set up well I mean yeah I mean I I mean all those folks that I went through and talked about like sure-tan in census they are all actively scanning every flush so they have like a set of ports I don't know if I'm answering your question but have like a list of ports like some of them are like 20 ports and they'll scan them like every day or every week and they will I mean they will actually go out and run tools like masks and to see what on ipv4 is like open

yeah yeah yeah yeah so I don't run any of that I I mean I see a ton of it I mean it's all the time so just like by being in ipv4 space like you're gonna see whether it's on as this HR telnet that people will also just look for like WordPress login forms and like use default passwords yeah that's all the time and especially with IOT stuff you can actually do some interesting correlations so if like a new like Soho router of ulnar ability comes out if you like follow that like trailing by like one day you'll start to see people scanning ipv4 just totally shotgun blasting for the vulnerable resources and like the default usernames and

passwords or whatever like authentication bypass there is you can actually see that stuff all the time I still see like shell-shocked stuff just like hitting all of ipv4 like even today it's crazy oh and this came up and you probably can't hear it from here because audio is not on but it's it's moving that's audio and so if you go to rocket threshing Florida IO and you don't have an iPhone you can turn is the only time a presenter is going to tell you to turn on the audio on your cell phone for a talk but if you go here you can hear it it sounds a little bit like distorted guitar music it doesn't sound

good but open the HDMI

oh I don't hear it still huh oh my muted there you go [Applause] okay yeah so you're listening to the background noise of the internet so there it is alright so if they're nice yeah

yeah yeah [Music]

yeah you know so so that's interesting so there is ICMP it's not actually port it's called a code for ICMP so there's a lot of ICMP traffic that's code zero but you actually have to check to make sure that the protocol is set to TCP and not ICMP I see like not a lot of it but like nonzero definitely and it's it's the type of thing where exactly like you said like a slight miss configuration or even like an auth by one like if you say like one to 1024 like your rules you're gonna miss port 0 altogether and it's like an easy way for people like slip in through human error to like get

a connection that your firewalls not gonna block you can I mean you can use port 0 just like you can use any other port I mean like I would say a legitimate reason to use port 0 is cuz you have a service that runs on port 0 like why you would actually do that doesn't make any real sense cuz it's a non-ephemeral port that doesn't have an official designation and you have to write a custom like bind function in order to use in the first place so I would say like generally speaking if I was a network administrator I would probably blackboard 0 just like as a matter of course and if somebody complained I would ask them why they're

complaining yeah yeah

all right yeah that's it I'll be around I'm here for a few days so you guys I think some my contact info but I'm happy to answer more questions after one-on-one so thanks very much [Applause]