Internet census maps usage via network of open embedded devices

A security research group has completed an Internet census revealing interesting facts on usage. According to the abstract by the crew from Carna Botnet,

While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage.

Their conclusions were the result of data from the 420,000-node botnet taken over a 24 hour period. The GIF above is produced by Carma Botnet and shows an animated world map of 24 hour relative average utilization of IPv4 addresses observed using ICMP ping requests.

The Internet Census 2012 report can be found on Bitbucket.


Join the Conversation


  1. Fairly sure it’s illegal for them to have logged into those unsecure systems and then install botnet code on them

    1. Yeah, its almost like enyoing the benefits of current modern medicine. If you know what I mean (hint, WWII).

  2. Looking at this image (animated gif) closely and you can see how different geographical regions peak at different times. The report doesn’t talk about it, but I’d be interested in hearing others’ opinions on the potential reasons. In particular, North America and India seem to peak (most red) in connections around noon, while Europe, South America, and Asia seem to peak just before sundown. There isn’t quite as strong of a patter for Australia or South Africa, but that might just be my perception due to the smaller number of datapoints. Ideas?

Leave a comment

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.