|
In the upcoming Internet Measurement Conference being held next week in Vouliagmeni, Greece, a team of six researchers will be presenting a paper called “Census and Survey of the Visible Internet,” based on a comprehensive census of more 2.8 billion allocated IP addresses on the Internet. The research is claimed to be the first comprehensive census of its kind in more than two decades.
The study, which has found a surprising number of unused IPv4 addresses, took 62 days to send 3 billion probes (commonly called “ping”) from four machines. “An Internet census is just that: every single assigned address in the entire Internet was sent a probe,” said John Heidemann, a research associate professor in the department of computer science at the University of Southern California (USC) and the paper’s lead author. “Our data suggests that maybe there are better things we should be doing in managing the IPv4 address space.”
The colors in the Internet map above represent census of all allocated addresses where each address was sent an ICMP ping message and results were recorded. Brighter colors indicate more replies, darker, fewer. Greener means more positive replies (“yes, I’m here”), redder indicates more negative replies (“not allowed”, “router but no host”, etc.). Yellow indicates a mix of positive and negative replies. Blue indicates areas that were not probed because they were not public, allocated, unicast address space. (Source: University of Southern California’s Information Sciences Institute)
Related Links:
Internet Measurement Conference (IMC)
62 Days + Almost 3 Billion Pings + New Visualization Scheme = the First Internet Census Since 1982
ANT Censuses of the Internet Address Space
Census and Survey of the Visible Internet
Probe Sees Unused Internet (Technology Review, Oct 15, 2008)
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byVerisign
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byWhoisXML API
I have not read the full paper, not yet published, but I hope they know that a lack of reply to ping is not a proof of non-use. Msot used IP addresses do not reply to ping (typically because of a firewall).
This is the second time I have seen this reported in the last couple of days. ICMP as a measure of use, I don’t think so, a very large percentage of the networks I work on and have worked on in the past 10 years will of been counted as dormant by this survey, needless to say those IP addresses are very very much in use.
Brett (Amused)
Yeah, this really isn’t the right technique. Many PINGs will be blocked by firewalls even though the hosts are indeed alive. And many addresses within live subnets won’t actually be assigned to hosts, but they are still “in use” because the subnet is configured. Even in cases where firewalls are allowing PINGs through, subnetting always uses more space than is actually needed for hosts that may respond to PINGs. That space is only wasted if the subnet is sized too liberally. There are also many differences in security policy that dictate what types of ICMP messages are allowed in or sent back out, e.g., block inbound ICMP and send no reply at all; allow echo and echo reply only; allow echo / echo reply / time exceeded / source quench / fragementation needed, etc. If they were trying to map out what the title of the paper implies, what is the “visible” Internet, then fine, that is interesting data and speaks more to the variations in security policy. But if they are trying to determine what IP addresses are actually in use, that is close to impossible to do. The only decent ways are (a.) to look at the Internet routing table and see what prefixes are there, aggregates or specifics or (b.) to look at the RIR databases to see what addresses have been allocated by RIRs and re-assigned by ISPs, and sum them all up. Even if the addresses are not PINGable or visible in the Internet routing table, it does not mean they are not in use.
Saw a presentation from Fyodor at defecon this year. I hope he’s already seen this paper, because he’s got a beautiful extension to add to the data - in the course of working on some improvements to nmap, he nmapped ipv4 last year.
He had interesting data on top open ports and rate of diminishment of return, that is, if you scan 20 ports, and then 300, you see more systems up in the more exhaustive scan. But how many ports do you need to hit to argue that you’ve seen X percent of systems which are discoverable by more exhaustive scans using his tool?
Oh, top open port? Telnet then SMTP, or vice versa. Telnet was embarrasingly high ranking.
We can also compare the unused IP range with the total IP address allocated by country.
http://www.ip2location.com/ip2location-internet-ip-address-2009-report.aspx