2024-durumeric-ten-years-zmap

Ten Years of ZMap

Zakir Durumeric, David Adrian, Phillip Stephens, Eric Wustrow, J. Alex Halderman · Internet Measurement Conference · 2024

canonical link →

Abstract

A decade after the original ZMap paper, this retrospective examines how Internet-wide scanning has evolved as a research methodology and what the community has learned from running ZMap-based studies at scale. The authors review the technical evolution of ZMap (IPv6 support, scan-rate improvements, blocklist hygiene), survey the research literature it has enabled, document the operational practices that have emerged for ethical and reliable scanning, and discuss open problems for the next decade — including measurement in the IPv6 era, dealing with cloud-hosted services, and reconciling scan-based observation with privacy and consent norms.

Tags

censors: generic
techniques: measurement-platform

findings extracted from this paper

A decade of ZMap-based studies has produced documented operational norms including blocklist hygiene (organizations can opt out of scans via ZBlocklist) and ethical rate-limiting practices. The same blocklist infrastructure that protects opt-out organizations also provides a model for reducing proxy infrastructure visibility.

Abstract — operational practices / ZBlocklist tool evaluation measurement-platform generic
Cloud-hosted services represent an open measurement problem for ZMap because IPs are shared, ephemeral, and behind CDN layers, making traditional IP-to-service attribution unreliable. The paper identifies reconciling scan-based observation with cloud infrastructure as a key challenge for the next decade.

Abstract — open problems evaluation measurement-platformip-blocking generic
A decade of Internet-wide scanning practice has established that cloud-hosted services present a fundamental measurement ambiguity: IP ownership is ephemeral and shared, making per-IP findings unreliable and complicating the attribution of services to specific operators or censors.

Abstract (open problems) evaluation measurement-platform generic
IPv6 measurement remains an open problem for ZMap because the address space is too large for exhaustive single-packet enumeration, unlike IPv4. This asymmetry means IPv6-addressed infrastructure is structurally harder to enumerate via blocklisting.

Abstract — open problems evaluation measurement-platformip-blocking generic
LZR, built on top of ZMap, can identify 99% of unexpected Internet services in five handshakes by acting as a shim between ZMap and ZGrab. This gives censors and researchers alike an efficient active-probing primitive to fingerprint proxy protocols at scale.

LZR tool description detection active-probingmeasurement-platform generic
ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes on a gigabit connection; with a 10 GigE connection and PF_RING, the same scan completes in 5 minutes. This makes Internet-wide enumeration of proxy infrastructure operationally trivial for any well-resourced actor.

Project overview evaluation measurement-platformip-blocking generic
ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes on a 1 Gbps connection; with a 10 GigE connection and PF_RING, the full IPv4 address space scan completes in 5 minutes. This throughput enables near-real-time Internet-wide enumeration of any service listening on a given port.

ZMap tool description evaluation measurement-platform generic
After a decade of ZMap-based measurement, the authors identify IPv6 scanning as an unresolved open problem: the vastly larger IPv6 address space makes exhaustive scanning infeasible, fundamentally changing the threat model for service discovery compared to IPv4.

Abstract (open problems) evaluation measurement-platform generic