TCP SYN scan of the public IPv4 address space on port 443 to find SNI proxies, special TLS servers that forward traffic to the destination specified in the Server Name Indication extension. The dataset includes ZMap output as well as the output of a custom program that tests for the SNI proxy property.

Study Details

Study
SNI proxies
Authors
David Fifield, Jiang Jian, Paul Pearce
Contact
David Fifield
Tags
TCP/443, HTTPS, ZMap

Dataset Details

zmap.sniproxy.20161024.csv.xz contains the ZMap CSV output of full TCP SYN scans of the IPv4 address against port 443, and contains the following fields: saddr, saddr_raw, daddr, daddr_raw, ipid,ttl, sport, dport, seqnum, acknum, window, classification, success, repeat, cooldown, timestamp_str, timestamp_ts, timestamp_us. scan-sniproxy.20161024.csv.xz contains the CSV output of a custom scan-sniproxy program, which connects to a TLS server using a specific SNI value and records a hash of the certificate returned by the server and any validation errors. The scan-sniproxy output has the following fields: date, target, host, port, sni, elapsed, is_sniproxy, spki_sha256, error. date is a timestamp and elapsed is the time elapsed start to finish for a particular server. target and host are both the IP address of the server (scan-sniproxy allows specifying a target by hostname; in that case the hostname would be in the target field and the IP address would be in the host field). port is always 443 in this dataset. sni is always "sni-scan-for-research-study.bamsoftware.com" in this dataset. is_sniproxy is "T" or "F". spki_sha256 is the SHA-256 hash of the certificate Subject Public Key Info, or blank in the case of a validation error. error is a validation error string, or blank. The value for spki_sha256 that indicates successful proxying is de15ef2559e770a3a283d632c94fe578f988c5768573a40caa28ff13cbd854d5. The file contains one false positive, 50.116.53.83, which was the actual IP address of sni-scan-for-research-study.bamsoftware.com.

File Download

File NameMetaDataSHA-1 FingerprintSizeUpdated At
zmap.sniproxy.20161024.csv.xz unavailable BCF6D5F79BBD98F23317AB322AE93AC75FF50553 1.4 GB 2016-10-24
scan-sniproxy.20161024.csv.xz unavailable 9CE4E8AF796BDC213276D087ACC6D2BB2B7692E9 1.2 GB 2016-10-24