Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Ten Years of ZMap

Zakir Durumeric, David Adrian, Phillip Stephens, Eric Wustrow, J. Alex Halderman

TL;DR

ZMap's adoption over the ten years since its release is quantified, its modern behavior is described (and the measurements that motivated changes), and lessons from releasing and maintaining ZMap for future tools are offered.

Abstract

Since ZMap's debut in 2013, networking and security researchers have used the open-source scanner to write hundreds of research papers that study Internet behavior. In addition, ZMap has been adopted by the security industry to build new classes of enterprise security and compliance products. Over the past decade, much of ZMap's behavior -- ranging from its pseudorandom IP generation to its packet construction -- has evolved as we have learned more about how to scan the Internet. In this work, we quantify ZMap's adoption over the ten years since its release, describe its modern behavior (and the measurements that motivated changes), and offer lessons from releasing and maintaining ZMap for future tools.

Ten Years of ZMap

TL;DR

ZMap's adoption over the ten years since its release is quantified, its modern behavior is described (and the measurements that motivated changes), and lessons from releasing and maintaining ZMap for future tools are offered.

Abstract

Since ZMap's debut in 2013, networking and security researchers have used the open-source scanner to write hundreds of research papers that study Internet behavior. In addition, ZMap has been adopted by the security industry to build new classes of enterprise security and compliance products. Over the past decade, much of ZMap's behavior -- ranging from its pseudorandom IP generation to its packet construction -- has evolved as we have learned more about how to scan the Internet. In this work, we quantify ZMap's adoption over the ten years since its release, describe its modern behavior (and the measurements that motivated changes), and offer lessons from releasing and maintaining ZMap for future tools.
Paper Structure (16 sections, 8 figures)

This paper contains 16 sections, 8 figures.

Table of Contents

  1. Introduction
  2. Usage and Internet Landscape
  3. Empirical Analysis
  4. Academic Research
  5. Industry Adoption
  6. Malicious Use
  7. Lessons in Internet Scanning
  8. ZMap Codebase
  9. Address and Port Generation
  10. Scan Sharding
  11. Packet Construction
  12. Lessons and Recommendations
  13. Internet Citizenship
  14. Conclusion
  15. Ethics
  16. ...and 1 more sections

Figures (8)

  • Figure 1: ZMap-Attributed TCP Scan Traffic---ZMap growth has accelerated significantly since 2020. In Q1 2024, 35% of Internet-wide IPv4 TCP scan traffic (by packet) came from ZMap.
  • Figure 2: All TCP Scans (Top Ports by Packet)
  • Figure 3: ZMap Scans (Top Ports By Packet)
  • Figure 4: ZMap by Country---The ten countries that emanate the most Internet scan traffic by packet have varied ZMap usage.
  • Figure 5: Sliding Window Duplicate Rate---We moved to a sliding window approach for deduplicating responses to support multiple ports. A window size of $10^6$ eliminates nearly all duplicates.
  • ...and 3 more figures