FTP and the idea of Diversity

Wouldn’t be nice, if we had a single number that represents the uniformity of a network? A number that shows if multiple hosts are using the same services or they try to be as diverse as possible from the norm.

The idea is based on the following paper.

So, what that actually means? Lets say we have a number of hosts using a specific operating system, then the diversity of that system is very low, instead if the same number of hosts tend to use different operating systems it increases and will continue to do so, until everyone is using a different operating system with different version. That, of course is not limited to operating systems which is rather trivial to calculate (if you have access of the network from the inside, at least).

What we try to do is find servers on the Internet which are happy to talk to us and share information. Using ZMap and banner grabbing techniques, we are able to probe every server which has an open service port and grab information. The results are not always good, some use modified banners, some does not respond at all but luckily there are still some servers out there which respond back to simple techniques.

As this research is ongoing will not be able to reveal major information but will do once it is over. For now, will share what I found really interesting and that is the rate which the servers that actual respond is decreasing over time.

In March 2013 the visible FTP servers which responded to ZMap probes were 1.8 million hosts, a rather small number for the amount of all FTP servers out there. One year later, in April 2014 using a more sophisticated technique we were able to get response from 3.9 million hosts. Although a big improvement in numbers, the actual servers which responded back with useful information are about the same. 1.1 million hosts versus 1.2 million between these two dates.

Even with more servers to get information from, the number of responses was about the same. That can easily interpreted as measures against fingerprinting techniques, which is quite obvious but over time more organizations take actual measures against it. Especially with FTP servers, the banner is not an important feature of the protocol, doesn’t provide any critical data and can be easily modified, that number will continue to decrease over the upcoming years.


Now read this

Persistent IPtables on Raspberry Pi (Raspbian)

This article is not about building proper iptable rules but on how to make iptable configurations to load on every reboot. I have been trying to find a consistent and easy solution to implement iptables on Raspberry Pi (Raspbian-wheezy),... Continue →