Scan fast and evade triggers

tate@ClearNetSec.com (Tate Hansen) — Tue, 14 Mar 2006 03:48:00 -0700

I've wanted to build this for a long time, alas the pain and costs of obtaining disparate public IPv4 blocks is high. I want to perform 65k port scans fast, accurately, and avoid 95% of the IDSes, IPSes, or whatever other ‘smart’ devices are in my way. It can be done.

Buy or lease some servers
Find a few data centers that connect to different Tier 1 providers
Justify and purchase IP blocks from ARIN (or another regional registry)
Setup scan server(s)
Setup NAT server(s)
Write some code to distribute port scans
Feel cool when you can scan like crazy
Feel really cool when no ‘smart’ devices alert, block, or rate limit you because you haven’t triggered any threshold ‘rules’
Act surprised when the client mentions his team didn’t see or report any anomalous behavior

Here is a high-level diagram of what I want:

Of course, there are some realities which make this hard to build. Registries prefer to hand out contiguous net blocks, but it would be far more desirable to have a bunch of smaller non-contiguous net blocks. Some ‘smart’ devices do detect scans based on the source net block, not just via a single source IP. Bandwidth and latency conditions are always in play. I still want it. A scan setup like this can increase accuracy, be fast, is distributed, and raises the difficulty for detection.

FYI: Initial costs from ARIN for different net block sizes

Category	Initial Registration Fee (US Dollars)	Assignment Size
X-small/ Micro-allocation	$1,250	/24 - < /20
Small	$2,250	/20 - /19
Medium	$4,500	> /19 - /16
Large	$9,000	> /16 - /14
X-large	$18,000	> /14

ClearNet Security: Tag circumvent

Scan fast and evade triggers