At security researchers, we sometimes do massive Internet scanning. We do it like many others are doing it: SHODAN, ERIPP, governments?, to name a few. To correctly plan a scanning session, we need to know how long it will take regarding the task we want to accomplish. We propose to do the math in this post.
Our first post regarding Internet scanning can be found on our previous blog article on how to not get caught while doing that.
Calculating packet size
So, you want to scan a portion of the Internet, one of your A-class (or /8 in CIDR notation), or maybe the full Internet? You have to decide what information you want to extract. Usually it boils down to just identifying open TCP ports. For that, you perform a classic half-open TCP SYN scan.
The size of a TCP SYN varies according to the number of TCP options you add. Standard size of a TCP header is 20 bytes. The minimum TCP option you should put is the MSS one, which takes 4 bytes. Standard IPv4 header is 20 bytes. Depending on your physical network connection, you have to add the layer 2 (usually Ethernet, which takes 14 bytes). Now, for the math:
% echo "14 + 20 + 24" |bc 58
58 bytes for a classic SYN. By default, we prefere to count 20 bytes (instead of only 4) of TCP options (Window scale, selective acknowledgment, timestamps, nop, and some others). Thus, our TCP header size is 16 bytes more:
% echo "58 + 16" |bc 74
Is it possible to do this from an ADSL connection?
You may want to do that from your ADSL connection (bad idea). The good news is that’s feasible. By doing the math, with the following variables:
- Bandwidth: 100k (upload)
- Target count: 3.7 million
- Try: 1 (no resend)
- Port count: 1 port
- Packet size: 58 bytes
By using this calculation method, you see that scanning 1/1000 of the Internet from an ADSL connection takes approximately 35 minutes, at a rate of 1724 packets per second. Not too bad. Now, to scan the full Internet for one port: around 25 days. Less than a month. Everyone can do it (and receive abuse complaints).