An interesting paper where the authors are building a better way to scan the Internet.
Shehar Bano et al. Scanning the Internet for Liveness // ACM SIGCOMM Computer Communication Review, Volume 48 Issue 2, April 2018
Liveness—whether or not a target IP address responds to a probe packet—is a nuanced concept without a simple yes/no answer. Responsiveness directly depends on the probe type, the configuration of the targeted host, as well as on firewalling and filtering behaviors at the edge or within networks.
Key findings include:
- TCP and UDP probes increase the population responsive over ICMP by 18%,
- comprehensively capturing reply traffic (i.e., taking into account negative reply packets) increases the responsive population by more than 13%,
- TCP stacks do not consistently respond with a TCP Rst for non-available services—in our measurements only 24% of hosts with an active TCP stack respond to all the probes,
- our concurrent scans allow us to identify nearly 2M tarpits that would bias measurements that do not take them into account, and
- we report on the correlation of responsiveness across protocols uncovering potential filtering practices.
Other things I found interesting:
- probe redundancy [sending deferred repeated probes] increases the population of active IP addresses by 2.2%
- scans recorded 487M network alive IPs (IPall) out of 3.6B probed.
- they see that ICMP Echo probes are most effective in discovering network active IPs, revealing 79% of IPall, followed by TCP probes.
- they found that 16% of IPall can only exclusively be discovered via TCP, and a small but significant ≈2% can only be discovered via UDP probes.