Hi, >> Did you check to which IP addresses these resolve, and stored the IP >> addresses? We did that for the last few of our scans, but I haven't >> found the time yet to feed it into the DB. > > I did not store the IPs, only checked IPs manually.
OK... I have a few datasets here that contain IP addresses for the Alexa Top 1M as resolved from CN, BR etc. I haven't found the time yet to look at them, but maybe they're useful. I don't think there are any objections to releasing them. > In your datasets (the difference sets) I've found some webhostings/eshops > (e.g. > wesped.com, alyasoft.net). One domain had improper (but not self-signed) certs > that might be considered "high value" (centerstatebank.com), though now it > seems > to have proper cert. Yes, that seems about right. We didn't find any attack traces in the difference sets; most likely these are temporary configuration issues. Still, a few dozen eyes will spot more than one pair... >> Does this mean you can scan 1.5M+ hostnames in less than 24h? You don't >> conduct full SSL handshakes then, correct? > > Correct. The scanner only waits for the TLS Handshake Record with > certificates. > Time taken by the scan depends a lot on the scanner location, one finishes > consistently within 4-5 hours, the other between 11-13 hours (in 100 threads). Will you release the code? I have been thinking about replacing our openssl-based scanner with something quicker, at least for some use cases. >> Which DB back-end do you use? If it's postgres, I'd be happy to feed it >> into our DB, too, and see what we have. > > It's postgres. Oh, excellent. Do you provide .custom format, too? Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
