Carna botnet: Difference between revisions
Content deleted Content added
m added links to other wikipedia articles |
|||
| (46 intermediate revisions by 34 users not shown) | |||
| Line 1: | Line 1: | ||
{{Short description|Botnet used to census the entire IPv4 internet}} |
|||
[[File:Carnabotnet geovideo lowres.gif|right|frame|World map of 24 |
[[File:Carnabotnet geovideo lowres.gif|right|frame|World map of 24-hour relative average utilization of IPv4 addresses observed using [[Ping (networking utility)|ICMP ping]] requests by Carna botnet, June - October 2012]] |
||
The '''Carna |
The '''Carna botnet''' was a [[botnet]] of 420,000 devices created by an anonymous [[Hacker (hobbyist)|hacker]] to measure the extent of the Internet in what the creator called the “'''Internet Census of 2012'''”. |
||
==Data collection== |
==Data collection== |
||
The data was collected by infiltrating Internet devices, especially [[Router (computing)|routers]], that used a [[default password]] or no password at all.<ref>{{cite news | last1 =Stöcker | first1 = Christian | last2 =Horchert | first2 = Judith | title =Mapping the Internet: A Hacker's Secret Internet Census | newspaper =Spiegel Online | date =2013-03-22 | url =http://www.spiegel.de/international/world/hacker-measures-the-internet-illegally-with-carna-botnet-a-890413.html }}</ref><ref>{{cite news | last =Kleinman | first =Alexis | title =The Most Detailed, GIF-Based Map Of The Internet Was Made By Hacking 420,000 Computers | newspaper =Huffington Post | date =2013-03-22 | url =http://www.huffingtonpost.com/2013/03/22/internet-map_n_2926934.html }}</ref> It was named after Carna, "the Roman goddess for the protection of inner organs and health".<ref name="carna">[http://internetcensus2012.bitbucket.org/paper.html Internet Census 2012: Port scanning /0 using insecure embedded devices] {{webarchive|url=https://web.archive.org/web/20151013010243/http://internetcensus2012.bitbucket.org/paper.html |date=2015-10-13 }}, Carna Botnet, June - Oktober 2012</ref> |
|||
Collected data was compiled into a [[GIF]] portrait to display Internet use around the world over the course of 24 hours. The data gathered included only the [[IPv4]] address space and not the [[IPv6]] address space.<ref>{{cite news |last=Read |first=Max |title=This Illegally Made, Incredibly Mesmerizing Animated GIF Is What the Internet Looks Like |newspaper=Gawker |date=2013-03-21 |url=http://gawker.com/5991667/this-illegally-made-incredibly-mesmerizing-animated-gif-is-what-the-internet-looks-like |url-status=dead |archive-url=https://web.archive.org/web/20130324015330/http://gawker.com/5991667/this-illegally-made-incredibly-mesmerizing-animated-gif-is-what-the-internet-looks-like?utm_campaign=socialflow_gawker_facebook&utm_source=gawker_facebook&utm_medium=socialflow |archive-date=2013-03-24 }}</ref><ref>{{cite news | last =Thomson | first =Iain | title =Researcher sets up illegal 420,000 node botnet for IPv4 internet map | newspaper =The Register |date =2013-03-19 | url = https://www.theregister.co.uk/2013/03/19/carna_botnet_ipv4_internet_map/ }}</ref> |
|||
It was compiled into a [[gif]] portrait to display Internet use around the world over the course of 24 hours. The data gathered included only the [[IPv4]] address space and not the [[IPv6]] address space.<ref>{{cite news | last =Read | first =Max | title = This Illegally Made, Incredibly Mesmerizing Animated GIF Is What the Internet Looks Like | newspaper =Gawker | date =2013-03-21 | url = http://gawker.com/5991667/this-illegally-made-incredibly-mesmerizing-animated-gif-is-what-the-internet-looks-like?utm_campaign=socialflow_gawker_facebook&utm_source=gawker_facebook&utm_medium=socialflow }}</ref><ref>{{cite news | last =Thomson | first =Iain | title =Researcher sets up illegal 420,000 node botnet for IPv4 internet map | newspaper =The Register |date =3/192013 | url = http://www.theregister.co.uk/2013/03/19/carna_botnet_ipv4_internet_map/ }}</ref> |
|||
The Carna Botnet creator believes that with a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible.<ref name="carna"/> |
The Carna Botnet creator believes that with a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible.<ref name="carna"/> |
||
==Results== |
==Results== |
||
| ⚫ | Of the 4.3 billion possible IPv4 addresses, Carna Botnet found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse [[domain name system]] records. The remaining 2.3 billion IPv4 addresses are probably not used.<ref>[https://arstechnica.com/security/2013/03/guerilla-researcher-created-epic-botnet-to-scan-billions-of-ip-addresses/ Guerilla researcher created epic botnet to scan billions of IP addresses] With 9TB of data, survey is one of the most exhaustive — and illicit — ever done. by Dan Goodin, arstechnica, Mar 20, 2013</ref> |
||
| ⚫ | An earlier first Internet census by the [[USDHS]] LANDER-study had counted 187 million visible Internet hosts in 2006.<ref>[http://www.isi.edu/~johnh/PAPERS/Heidemann07c.pdf Exploring Visible Internet Hosts through Census and Survey] ("LANDER" study) by John Heidemann, Yuri Pradkin, Ramesh Govindan, Christos Papadopoulos, Joseph Bannister. USC/ISI Technical Report ISI-TR-2007-640. see also http://www.isi.edu/ant/address/ and [http://vimeo.com/19424554 video]</ref><ref>[http://www.spiegel.de/netzwelt/web/carna-botnet-internet-zensus-mit-hacker-methoden-a-890225.html Forschung mit illegalem Botnetz: Die Vermessung des Internets] Christian Stöcker, Judith Horchert, [[Der Spiegel]], 21.03.2013</ref> |
||
| ⚫ | Of the 4.3 billion possible IPv4 addresses, Carna Botnet found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse [[domain name system]] records. The remaining 2.3 billion IPv4 addresses are probably not used.<ref |
||
==Further implications== |
|||
| ⚫ | An earlier first Internet census by the [[USDHS]] LANDER-study had counted 187 million visible Internet hosts in 2006.<ref>[http://www.isi.edu/~johnh/PAPERS/Heidemann07c.pdf Exploring Visible Internet Hosts through Census and Survey] ("LANDER" study) by John Heidemann, Yuri Pradkin, Ramesh Govindan, Christos Papadopoulos, Joseph Bannister. USC/ISI Technical Report ISI-TR-2007-640. see also http://www.isi.edu/ant/address/ and [http://vimeo.com/19424554 video]</ref><ref>[http://www.spiegel.de/netzwelt/web/carna-botnet-internet-zensus-mit-hacker-methoden-a-890225.html Forschung mit illegalem Botnetz: Die Vermessung des Internets] Christian Stöcker, Judith Horchert, [[Der Spiegel]], 21.03.2013</ref> |
||
The data provided by the Carna botnet was used by security researcher Morgan Marquis-Boire to determine in how many countries [[FinFisher]] spyware was being used. The use of such legally-gray data to conduct open source analysis raised questions for some, but Marquis-Boire expressed a belief that data is data. "I consider this more like rogue academia rather than criminal activity," he told Wired Magazine.<ref>{{cite magazine |
|||
|url=https://www.wired.com/2013/05/internet_census/ |
|||
|archive-url=https://web.archive.org/web/20161222105713/https://www.wired.com/2013/05/internet_census/ |
|||
|archive-date=2016-12-22 |
|||
|title=Is It Wrong to Use Data From the World's First 'Nice' Botnet? |
|||
|first=Robert |
|||
|last=McMillan |
|||
|magazine=[[Wired (magazine)|Wired]] |
|||
|date=2013-05-15 |
|||
}}</ref> |
|||
==Number of hosts by top level domain== |
==Number of hosts by top level domain== |
||
| ⚫ | |||
| ⚫ | |||
{| class="wikitable sortable" |
{| class="wikitable sortable" |
||
|- |
|- |
||
! Number of hosts<ref> |
! Number of hosts<ref>{{Cite web |url=http://internetcensus2012.bitbucket.org/tld_overview.html |title=Top Level Domains. Internet Census 2012 |access-date=2013-05-16 |archive-url=https://web.archive.org/web/20130515041758/http://internetcensus2012.bitbucket.org/tld_overview.html |archive-date=2013-05-15 |url-status=dead }}</ref> !! [[Top Level Domain]] |
||
|- |
|- |
||
|align=right | 374,670,873 ||align=center | [[.net]] |
|align=right | 374,670,873 ||align=center | [[.net]] |
||
| Line 64: | Line 74: | ||
|align=right | 6,878,625 ||align=center | [[.in]] |
|align=right | 6,878,625 ||align=center | [[.in]] |
||
|} |
|} |
||
==See also== |
|||
* [[BASHLITE]] |
|||
* [[Mirai (malware)]] |
|||
* [[Remaiten]] |
|||
* [[Linux.Darlloz]] |
|||
* [[Linux.Wifatch]] |
|||
* [[Hajime (malware)]] |
|||
==References== |
==References== |
||
| Line 69: | Line 87: | ||
==External links== |
==External links== |
||
* [http://internetcensus2012.bitbucket.org/paper.html Internet Census 2012: Port scanning /0 using insecure embedded devices], Carna Botnet, June — |
* [https://web.archive.org/web/20151013010243/http://internetcensus2012.bitbucket.org/paper.html Internet Census 2012: Port scanning /0 using insecure embedded devices], Carna Botnet, June — October 2012 |
||
* All of the data can be found on [ |
* All of the data can be found on [https://internetcensus2012.github.io/InternetCensus2012/ GitHub], [https://web.archive.org/web/20151013010243/http://internetcensus2012.bitbucket.org/paper.html BitBucket], [http://census2012.sourceforge.net/paper.html SourceForge], and [[iarchive:Carna_Internet_Census|Internet Archive]]. |
||
{{IoT Malware}} |
|||
[[Category:Botnets]] |
[[Category:Botnets]] |
||
[[Category:History of the Internet]] |
|||
[[Category:IoT malware]] |
|||
Latest revision as of 09:58, 1 March 2024
The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet in what the creator called the “Internet Census of 2012”.
Data collection
[edit]The data was collected by infiltrating Internet devices, especially routers, that used a default password or no password at all.[1][2] It was named after Carna, "the Roman goddess for the protection of inner organs and health".[3]
Collected data was compiled into a GIF portrait to display Internet use around the world over the course of 24 hours. The data gathered included only the IPv4 address space and not the IPv6 address space.[4][5]
The Carna Botnet creator believes that with a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible.[3]
Results
[edit]Of the 4.3 billion possible IPv4 addresses, Carna Botnet found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. The remaining 2.3 billion IPv4 addresses are probably not used.[6]
An earlier first Internet census by the USDHS LANDER-study had counted 187 million visible Internet hosts in 2006.[7][8]
Further implications
[edit]The data provided by the Carna botnet was used by security researcher Morgan Marquis-Boire to determine in how many countries FinFisher spyware was being used. The use of such legally-gray data to conduct open source analysis raised questions for some, but Marquis-Boire expressed a belief that data is data. "I consider this more like rogue academia rather than criminal activity," he told Wired Magazine.[9]
Number of hosts by top level domain
[edit]Amongst other, Carna Botnet counted the number of hosts with reverse DNS names observed from May to October 2012. The top 20 Top Level Domains were:
| Number of hosts[10] | Top Level Domain |
|---|---|
| 374,670,873 | .net |
| 199,029,228 | .com |
| 75,612,578 | .jp |
| 28,059,515 | .it |
| 28,026,059 | .br |
| 21,415,524 | .de |
| 20,552,228 | .cn |
| 17,450,093 | .fr |
| 17,363,363 | .au |
| 17,296,801 | .ru |
| 16,910,153 | .mx |
| 14,416,783 | .pl |
| 14,409,280 | .nl |
| 13,702,339 | .edu |
| 11,915,681 | .ar |
| 9,157,824 | .ca |
| 8,937,159 | .uk |
| 7,452,888 | .se |
| 7,243,480 | .tr |
| 6,878,625 | .in |
See also
[edit]References
[edit]- ^ Stöcker, Christian; Horchert, Judith (2013-03-22). "Mapping the Internet: A Hacker's Secret Internet Census". Spiegel Online.
- ^ Kleinman, Alexis (2013-03-22). "The Most Detailed, GIF-Based Map Of The Internet Was Made By Hacking 420,000 Computers". Huffington Post.
- ^ a b Internet Census 2012: Port scanning /0 using insecure embedded devices Archived 2015-10-13 at the Wayback Machine, Carna Botnet, June - Oktober 2012
- ^ Read, Max (2013-03-21). "This Illegally Made, Incredibly Mesmerizing Animated GIF Is What the Internet Looks Like". Gawker. Archived from the original on 2013-03-24.
- ^ Thomson, Iain (2013-03-19). "Researcher sets up illegal 420,000 node botnet for IPv4 internet map". The Register.
- ^ Guerilla researcher created epic botnet to scan billions of IP addresses With 9TB of data, survey is one of the most exhaustive — and illicit — ever done. by Dan Goodin, arstechnica, Mar 20, 2013
- ^ Exploring Visible Internet Hosts through Census and Survey ("LANDER" study) by John Heidemann, Yuri Pradkin, Ramesh Govindan, Christos Papadopoulos, Joseph Bannister. USC/ISI Technical Report ISI-TR-2007-640. see also http://www.isi.edu/ant/address/ and video
- ^ Forschung mit illegalem Botnetz: Die Vermessung des Internets Christian Stöcker, Judith Horchert, Der Spiegel, 21.03.2013
- ^ McMillan, Robert (2013-05-15). "Is It Wrong to Use Data From the World's First 'Nice' Botnet?". Wired. Archived from the original on 2016-12-22.
- ^ "Top Level Domains. Internet Census 2012". Archived from the original on 2013-05-15. Retrieved 2013-05-16.
External links
[edit]- Internet Census 2012: Port scanning /0 using insecure embedded devices, Carna Botnet, June — October 2012
- All of the data can be found on GitHub, BitBucket, SourceForge, and Internet Archive.