Nmap Development mailing list archives
Re: Using nmap to detect country-wide Internet shutdowns
From: John Bond <john.r.bond () gmail com>
Date: Fri, 1 Jul 2011 18:23:36 +0200
you may want to check out some of the tools here http://www.ripe.net/data-tools/stats/ris http://stat.ripe.net/ here is the egypt analysis http://stat.ripe.net/egypt On 1 July 2011 17:23, David Larochelle <dlarochelle () cyber law harvard edu> wrote:
Hi, I'm at the Berkman Center for Internet & Society at Harvard (http://cyber.law.harvard.edu). We're interested in developing a method to determine if a country has shutdown its Internet. The typical use case for this would be that we hear scattered reports that a country such as Syria or Egypt is not longer Internet accessible and we would like a way to verify these reports. Our initial approach has been to use nmap to perform a ping scan on all IPs in all Autonomous Systems that are based in the country. We have used data from CAIDA and the Routeviews project to associate CIDR blocks with Autonomous Systems. We then map Autonomous Systems to countries by querying the Cymru service. We are then using commands like the following to determine the number of IP addresses accessible within a given country: nmap --host-timeout 5m -sP --randomize-hosts -iL syrian_cidr_blocks.txt > syrian_results.txt Obviously this will not detect hosts that are behind a firewall or that are ignoring pings but we're hoping that it will be good enough to detect and verify events such as the recent attempts by governments during the Arab Spring to shut down the Internet within their borders. It would also be nice to be able to determine which ISPs have remained on-line when much of the country is inaccessible. For example, Noor Group remained on-line even when the rest of the Internet in Egypt was shutdown. One of the questions that we have is what length of timeout is appropriate for this type of scan. We initially tried not giving any timeout but found that the scans were taking weeks to finish. We noticed that significantly most hosts were detected using a 5 minute timeout than a 2 minute timeout but we're unsure how long of a timeout is necessary. More generally, we'd really appreciate any feed back that about the best way to do scans like this using nmap or some other tool. Thanks, David _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Using nmap to detect country-wide Internet shutdowns David Larochelle (Jul 01)
- Re: Using nmap to detect country-wide Internet shutdowns John Bond (Jul 01)
- Re: Using nmap to detect country-wide Internet shutdowns Ryan Giobbi (Jul 03)
- Re: Using nmap to detect country-wide Internet shutdowns David Fifield (Jul 18)
- <Possible follow-ups>
- Re: Using nmap to detect country-wide Internet shutdowns dlarochelle (Jul 02)