This is a non-IMPACT record, meaning that access to the data is not controlled by IMPACT. For access, see the directions below.

Disclaimer:
This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.

Summary

DS-1095
SNI Proxy ZMap Scans
External Dataset
External Data Source
Internet-Wide Scan Data Repository
Unknown
Unknown
56 (lowest rank is 56)

Category & Restrictions

Other
network data, address space status data, local networks
Unrestricted
Unknown

Description


TCP SYN scan of the public IPv4 address space on port 443 to find SNI proxies, special TLS servers that forward traffic to the destination specified in the Server Name Indication extension. The dataset includes ZMap output as well as the output of a custom program that tests for the SNI proxy property.

zmap.sniproxy.20161024.csv.xz contains the ZMap CSV output of full TCP SYN scans of the IPv4 address against port 443, and contains the following fields: saddr, saddr_raw, daddr, daddr_raw, ipid,ttl, sport, dport, seqnum, acknum, window, classification, success, repeat, cooldown, timestamp_str, timestamp_ts, timestamp_us. scan-sniproxy.20161024.csv.xz contains the CSV output of a custom scan-sniproxy program, which connects to a TLS server using a specific SNI value and records a hash of the certificate returned by the server and any validation errors. The scan-sniproxy output has the following fields: date, target, host, port, sni, elapsed, is_sniproxy, spki_sha256, error. date is a timestamp and elapsed is the time elapsed start to finish for a particular server. target and host are both the IP address of the server (scan-sniproxy allows specifying a target by hostname; in that case the hostname would be in the target field and the IP address would be in the host field). port is always 443 in this dataset. sni is always "sni-scan-for-research-study.bamsoftware.com" in this dataset. is_sniproxy is "T" or "F". spki_sha256 is the SHA-256 hash of the certificate Subject Public Key Info, or blank in the case of a validation error. error is a validation error string, or blank. The value for spki_sha256 that indicates successful proxying is de15ef2559e770a3a283d632c94fe578f988c5768573a40caa28ff13cbd854d5. The file contains one false positive, 50.116.53.83, which was the actual IP address of sni-scan-for-research-study.bamsoftware.com. ; david@bamsoftware.com

Additional Details

N/A
false
false
sni, zmap, proxy, scans, 1095, sni proxy zmap scans, corporation, external data source, external, inferlink, source, inferlink corporation, output, scan, server, port, dataset, 443, custom, ipv4, syn, tcp, program, tls, public, servers, tests, extension, destination, indication, property, space, includes, traffic, special, proxies, sniproxy, target, csv, timestamp, error, sha256, spki, elapsed, bamsoftware, validation, host, daddr, saddr, certificate, 20161024, study, hash, hostname, xz, blank, raw, field, fields, other, ttl, specific, connects, positive, info, cooldown, proxying, sport, subject, returned, time, window, finish, 116, acknum, false, start, string, seqnum, errors, dport, 256, file, success, ipid, repeat, david, key, str, successful, sha, classification, actual, records