Saturday, April 25, 2015

0.7% or 311,026 IP Addresses found continue to be vulnerable to Heartbleed

As I was glancing through the logs of my honeypots I spent some time to look at the following logs.  In the past I have just overlooked them:

The URL in the "User Agent" section of the log turned out it was legit.  So I went to the following site "".

I found the two publications published to be of value at Rapid7: Legal Considerations for Widespread Scanning and ZMAP: Scanning Best Practices.

If you follow to the ZMAP site where a tool can be acquired to do this sort of scanning it lists the following as best practices:

Through looking further at the home page you notice the University of Michigan is involved in this research and the maintenance of the tool.  From here you can find the site "".  

This is an internet-wide scan data repository.  Here is where they publish the raw output of the scans that they conduct.  The section that again caught my eye was on "Heartbleed".  After clicking on the title I found a 100GB lz4 compressed file with their raw output from their scanning for the vulnerability of heartbleed.

I decided with this information I wanted to know how many IP Addresses are they detecting that continue to be vulnerable to heartbleed.  After downloading the file, using python to uncompress the lz4 file, and then parsing the information.  I found:


IP addresses continue to show that they are vulnerable to heartbleed.  I understand that a percentage of these may not be vulnerable and some would be false-positives.  I however, am not going to look closer at this to determine the percentage that are truly vulnerable.

Well then I was curious, how many IP Addresses show up in the 100GB lz4 compressed log.  The following number are the total number of IP addresses I found in the log:


With that said you still observe that the following percentage of the dataset of IP addresses that respond with a vulnerable version of SSL on port 443 is:


I also was curious from the initial sample of 311,062 IP addresses which countries they originated from.  Below are the top 12 country abbreviations and the count indicating how many IP addresses are in each country based on the information in the SSL certificate that was gathered:

137,324 "US" United States
  26,646 "--"  Probably self signed certificates without designating a country
  17,646 "CN" China
  14,401 "AU" Australia
   7,655 "XX" Probably self signed certificates
   6,695 "DE" Germany
   6,625 "GB" United Kingdom
   4,452 "SE"  Sweden
   4,297 "KR" Korea
   3,034 "IL"  Israel
   3,008 "RU" Russia
   2,949 "FR" France

Wow! I was fascinated at this resource and the numbers that were gathered from it. 

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...