"Internet-wide network scanning has numerous security applications, including exposing new vulnerabilities and tracking the adoption of defensive mechanisms, but probing the entire public address space with existing tools is both difficult and slow. We introduce ZMap, a modular, open-source network scanner specifically architected to perform Internet-wide scans and capable of surveying the entire IPv4 address space in under 45 minutes from user space on a single machine, approaching the theoretical maximum speed of gigabit Ethernet. We present the scanner architecture, experimentally characterize its performance and accuracy, and explore the security implications of high speed Internet-scale network surveys, both offensive and defensive. We also discuss best practices for good Internet citizenship when performing Internet-wide surveys, informed by our own experiences conducting a long-term research survey over the past year."
Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: fast internet-wide scanning and its security applications. In Proceedings of the 22nd USENIX conference on Security (SEC'13). USENIX Association, Berkeley, CA, USA, 605-620.The paper did well on:
+ Proposing a new efficient method that is "1300 times faster than the most aggressive Nmap default settings" + Demonstrating various important applications of Zmap + Having a section dedicated to ethics and recommended practices + Plenty of graphsThe paper felt short on:
+ Some more math backgrounds for the address generation algorithm can be provided considering it is an important part of Zmap ### What did you learn from reading this paper? + US military did not bother much with sending out complaints regarding them being scanned by the tool. On the contrary, some home users are very well educated and did proper responses. + Effectively scan the IPv4 address space at gigabit line is possible + There are real risks of being sued or ddos when conducting this kind of scan ### What questions do you have about the paper or the area? + What is "distant transient network failure" ? + What is "radix" tree ? + How caching the ethernet packets work? + What is the method of "random permutation generated by a cyclic multiplicative group" ? + How big is the assumption of "the source network is well provisioned (unable to be saturated by the source host), and that the targets are randomly ordered and widely dispersed (so no distant network or path is likely to be saturated by the scan)" ? + How to construct the scan-specific secret ?
Image credit: Safe Network Forum
