LZR, built on top of ZMap, can identify 99% of unexpected Internet services in five handshakes by acting as a shim between ZMap and ZGrab. This gives censors and researchers alike an efficient active-probing primitive to fingerprint proxy protocols at scale.

A decade of ZMap-based studies has produced documented operational norms including blocklist hygiene (organizations can opt out of scans via ZBlocklist) and ethical rate-limiting practices. The same blocklist infrastructure that protects opt-out organizations also provides a model for reducing proxy infrastructure visibility.

Abstract — operational practices / ZBlocklist tool evaluation

Cloud-hosted services represent an open measurement problem for ZMap because IPs are shared, ephemeral, and behind CDN layers, making traditional IP-to-service attribution unreliable. The paper identifies reconciling scan-based observation with cloud infrastructure as a key challenge for the next decade.

Abstract — open problems evaluation

A decade of Internet-wide scanning practice has established that cloud-hosted services present a fundamental measurement ambiguity: IP ownership is ephemeral and shared, making per-IP findings unreliable and complicating the attribution of services to specific operators or censors.

Abstract (open problems) evaluation

IPv6 measurement remains an open problem for ZMap because the address space is too large for exhaustive single-packet enumeration, unlike IPv4. This asymmetry means IPv6-addressed infrastructure is structurally harder to enumerate via blocklisting.

Abstract — open problems evaluation

ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes on a gigabit connection; with a 10 GigE connection and PF_RING, the same scan completes in 5 minutes. This makes Internet-wide enumeration of proxy infrastructure operationally trivial for any well-resourced actor.

Project overview evaluation

ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes on a 1 Gbps connection; with a 10 GigE connection and PF_RING, the full IPv4 address space scan completes in 5 minutes. This throughput enables near-real-time Internet-wide enumeration of any service listening on a given port.

ZMap tool description evaluation

After a decade of ZMap-based measurement, the authors identify IPv6 scanning as an unresolved open problem: the vastly larger IPv6 address space makes exhaustive scanning infeasible, fundamentally changing the threat model for service discovery compared to IPv4.

Abstract (open problems) evaluation

Combining all three active probing attacks in an Internet-wide scan of 30 million HTTPS servers identified approximately 15,000 hosts (0.05%) behaving like ShadowTLS relays; of these only 6,000 presented TLS certificates for Alexa Top 1000 domains. The scan successfully discovered all four researcher-operated ShadowTLS relays planted as ground truth.

2023-wang-chasing §3.2, Table 2 active-probingmeasurement-platform

The authors' ISP Tap dataset yielded 129,000 unique response sets across 433,286 endpoints while ZMap's 1.5 million endpoints produced only 31,000 unique sets — with over 42% of ZMap endpoints behaving identically (infinite timeout, no data) due to firewall chaff. This vantage-point bias means the effective false-positive rate a censor faces when targeting ISP-observed traffic is ~28× lower than against random scans (0.02% vs 0.56% for MTProto), making ISP-scale active probing far more actionable than Internet-wide scanning alone.

2020-frolov-detecting §III-B, §V-D, Fig. 2 active-probingmeasurement-platform

Encore's architecture turns ordinary web visitors into measurement vantage points, which the researchers argue prevents censors from detecting and disabling dedicated measurement probes. However, this benefit comes with the trade-off that the individuals whose browsers are co-opted face potential legal or physical risk that differs by country and by the specific censored content accessed.

2015-narayanan-no Background / Analysis measurement-platformactive-probing

High-speed Internet-wide scanning enables a censor or attacker to locate every publicly reachable host vulnerable to a newly disclosed flaw within hours of disclosure; in a concrete example, 3.4 million UPnP-vulnerable devices were identified in under 2 hours — faster than network operators could apply patches — with a 150-SLOC probe module written in approximately 4 hours.

2013-durumeric-zmap §4.3 active-probingmeasurement-platform

By scanning ports 443 and 9001 and fingerprinting responses with Tor's TLS v1 cipher-suite handshake pattern, ZMap identified 79–86% of all allocated Tor bridge fingerprints in a single scan, demonstrating that bridges whose protocol is distinguishable are largely discoverable through comprehensive Internet-wide scanning even though their addresses are not publicly listed.

2013-durumeric-zmap §4.4 active-probingtls-fingerprintmeasurement-platform

CensorLess's function refresher automatically retires serverless bridges and deploys fresh ones in batches across diverse regions; the expected time until a bridge is identified and blocked in practice is 2 days (per Fifield et al.), while Tor bridges in China are discovered within 2–36 days. The old bridge is only removed after all clients have completed live migration to a new URL, maintaining uninterrupted connectivity.

2026-kang-censorless-serverless §4.5 active-probingip-blocking