How to Scan Millions of IPv4 Addresses for Vulnerabilities

Jordan Drysdale//

Some days are not like others. Some days, you might get tasked with scanning a million IP addresses. Here’s how I did it:

1. Digital Ocean. Amazon is too picky about their rules for inbound and outbound traffic. I don’t want to piss off the third or fourth largest corporation on Earth.
2. Politically speaking, there’s always scan schedules and certain elements that have to be scanned at certain times of the day, based on our position in the heliocentric orbit, lunar year, whatever… On the DO box, use reject entries in the rules file! More later…
3. Mathematically, using the top ports from Nessus’ reference document, linked here: https://docs.tenable.com/nessus/6_11/Content/DiscoverySettings.htm, […default scan policy instructs Nessus to scan approximately 4,790 commonly used ports], then we have 4.7 billion sockets to check per million IP addresses.
4. Now, we are getting somewhere! Let’s spin some nodes up, say five at the 40 bucks per month rate. The test scan averages came in at about 30 minutes per /22 (1024 IPs, 1022 hosts). This block of IPs generated responses from about a hundred hosts which seemed to be standard across the test runs.
5. Further, we moved toward accomplishing our task in a week. How many nodes could scan how many IPs in how much time?
6. Last – Using a PCI Quarterly scan profile will keep you out of trouble in a court if you are asked to explain to a judge why you dumped a customer’s primary money making web application. Custom scan profiles can make this explanation difficult.

Let’s go through some finer points of the math. If we want to scan a million IP addresses, where do we start – considering we have our baseline defined?

1000000 IPs total, each /22 or 1024 hosts average scan length came in at 30 minutes.

((1000000 / 1024) * 30) = 29297 minutes or 488 hours of scan time

If we have five scanners, we are at 97 hours of scanning per instance.

Then, use a Nessus merge script to combine all the .nessus files into a single scan “combo” and upload. From a case study perspective, comparing the results of a million IP vulnerability results is identical to reviewing the results of a thousand IP addresses.