Nmap Development mailing list archives

Re: Using nmap to detect country-wide Internet shutdowns

From: Ryan Giobbi <ryan () tgbemail com>
Date: Sun, 3 Jul 2011 13:52:03 -0400

Have you tried running the pings when you'd guess everything is online
to get a list of active IP addresses? This list probably will take
awhile to get really stale

You could use that list to ping when you think there might be an outage.



On 7/1/11, David Larochelle <dlarochelle () cyber law harvard edu> wrote:

Hi,

I'm at the Berkman Center for Internet & Society at Harvard
(http://cyber.law.harvard.edu). We're interested in developing a method
to determine if a country has shutdown its Internet. The typical use
case for this would be that we hear scattered reports that a country
such as Syria or Egypt is not longer Internet accessible and we would
like a way to verify these reports.

Our initial approach has been to use nmap to perform a ping scan on all
IPs in all Autonomous Systems that are based in the country. We have
used data from CAIDA and the Routeviews project to associate CIDR blocks
with Autonomous Systems. We then map Autonomous Systems to countries by
querying the Cymru service.

We are then using commands like the following to determine the number of
IP addresses accessible within a given country:

    nmap --host-timeout 5m -sP --randomize-hosts -iL
    syrian_cidr_blocks.txt > syrian_results.txt


Obviously this will not detect hosts that are behind a firewall or that
are ignoring pings but we're hoping that it will be good enough to
detect and verify events such as the recent attempts by governments
during the Arab Spring to shut down the Internet within their borders.
It would also be nice to be able to determine which ISPs have remained
on-line when much of the country is inaccessible. For example, Noor
Group remained on-line even when the rest of the Internet in Egypt was
shutdown.

One of the questions that we have is what length of timeout is
appropriate for this type of scan. We initially tried not giving any
timeout but found that the scans were taking weeks to finish. We noticed
that significantly most hosts were detected using a 5 minute timeout
than a 2 minute timeout but we're unsure how long of a timeout is necessary.

More generally, we'd really appreciate any feed back that about the best
way to do scans like this using nmap or some other tool.


Thanks,

David
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


-- 
Sent from my mobile device
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Using nmap to detect country-wide Internet shutdowns David Larochelle (Jul 01)
- Re: Using nmap to detect country-wide Internet shutdowns John Bond (Jul 01)
- Re: Using nmap to detect country-wide Internet shutdowns Ryan Giobbi (Jul 03)
- Re: Using nmap to detect country-wide Internet shutdowns David Fifield (Jul 18)
- <Possible follow-ups>
- Re: Using nmap to detect country-wide Internet shutdowns dlarochelle (Jul 02)