Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Security Researcher Built Sketchy 420k Node Botnet to Conduct “Internet Census”

A researcher scoured the Internet and harnessed the power of 420,000 devices connected to identify 1.2 million unique unprotected devices. Devices included Webcams, routers, and printers.

A researcher scoured the Internet and harnessed the power of 420,000 devices connected to identify 1.2 million unique unprotected devices. Devices included Webcams, routers, and printers.

The researcher, who posted on the SecLists mailing list Sunday under the name “internet census,” described taking control of open devices by using empty or default login credentials such as “root:root” and “admin:admin.” After finding these devices, the researcher created a botnet, dubbed “Carna,” which acted as a distributed port scanner to scan the IPv4 address space and found about 1.2 million unique devices on the Internet.

Internet Census

From March to December 2012, the researcher scanned service probes for commonly used ports, ping requests, reverse DNS and SYN scans. After completing the scan, the researcher claims to have shut down the botnet and released the devices.

“No devices were harmed during this experiment,” the researcher wrote.

Mark Scholesser, a security researcher from Rapid7 took exception to the methods used in the research. The way the data as collected is “highly illegal in most countries,” Schloesser told SecurityWeek, noting that using insecure configurations and default passwords to gain access to remote devices and run code on them was “unethical.” Taking precautions to not interfere with the device’s normal operations “doesn’t make it OK,” he said. Even so, the research itself was noteworthy as the “most comprehensive Internet-wide scan,” Scholesser said. This kind of research could also raise awareness of real security and configuration issues affecting people, and more projects of this kind, conducted legally, would be helpful, he said.

Many of the devices corralled into Carna were based on Linux and allowed login with empty or default credentials, according to write up of the project. Along with consumer routers and set-top boxes, the researcher found insecure devices such as IPSec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, and networking equipment from Cisco and Juniper Networks.

A lot of the devices should never have been connected directly to the Internet but should have been behind a firewall or some other network layer. The researcher began with the classic telnet login, “root:root” on random IP addresses, not realizing that thousands of unprotected devices on the Internet accepted that username and password combination.

“As a rule of thumb, if you believe that ‘nobody would connect that to the Internet, really nobody,’ there are at least 1000 people who did,” the researcher wrote.

With the Carna botnet in place, the researcher was able to send ping requests to every IP address in the IPv4 address space, perform reverse DNS lookups, run Nmap scans, look for common service probes, and execute the traceroute command, to perform a “census” of all IPv4 devices on the Internet. According to the “Internet Census,” there were 420 million IP addresses which responded to ping requests, and 36 million more with one or more ports open. About 141 Million IPs were firewalled and could count as “in use,” according to the project paper. Another 729 Million more IP addresses had reverse DNS records. All this added up to 1.3 billion IP addresses in use, according to the project, with the remaining 2.3 billion addresses showing “no sign of usage.”

Rapid7’s Schloesser noted that this kind of research reveal the “real state of play” on the Internet and was similar to the current project by HD Moore. Moore had found 50 million network-enabled devices that were exposed and at risk to compromise because of an error in how the universal plug-and-play protocol was being used.

“While everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world,” the researcher wrote on the project page.

Related: UPnP Security Holes Expose Millions of Networked Devices to Attacks

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...