Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using nmap to detect country-wide Internet shutdowns

From: John Bond <john.r.bond () gmail com>
Date: Fri, 1 Jul 2011 18:23:36 +0200
you may want to check out some of the tools here
http://www.ripe.net/data-tools/stats/ris
http://stat.ripe.net/

here is the egypt analysis
http://stat.ripe.net/egypt



On 1 July 2011 17:23, David Larochelle
<dlarochelle () cyber law harvard edu> wrote:

Hi,

I'm at the Berkman Center for Internet & Society at Harvard
(http://cyber.law.harvard.edu). We're interested in developing a method
to determine if a country has shutdown its Internet. The typical use
case for this would be that we hear scattered reports that a country
such as Syria or Egypt is not longer Internet accessible and we would
like a way to verify these reports.

Our initial approach has been to use nmap to perform a ping scan on all
IPs in all Autonomous Systems that are based in the country. We have
used data from CAIDA and the Routeviews project to associate CIDR blocks
with Autonomous Systems. We then map Autonomous Systems to countries by
querying the Cymru service.

We are then using commands like the following to determine the number of
IP addresses accessible within a given country:

   nmap --host-timeout 5m -sP --randomize-hosts -iL
   syrian_cidr_blocks.txt > syrian_results.txt


Obviously this will not detect hosts that are behind a firewall or that
are ignoring pings but we're hoping that it will be good enough to
detect and verify events such as the recent attempts by governments
during the Arab Spring to shut down the Internet within their borders.
It would also be nice to be able to determine which ISPs have remained
on-line when much of the country is inaccessible. For example, Noor
Group remained on-line even when the rest of the Internet in Egypt was
shutdown.

One of the questions that we have is what length of timeout is
appropriate for this type of scan. We initially tried not giving any
timeout but found that the scans were taking weeks to finish. We noticed
that significantly most hosts were detected using a 5 minute timeout
than a 2 minute timeout but we're unsure how long of a timeout is necessary.

More generally, we'd really appreciate any feed back that about the best
way to do scans like this using nmap or some other tool.


Thanks,

David
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: