Identifying and characterizing ZMap scans: a cryptanalytic approach

Network scanning tools play a major role in Internet security. They are used by both network security researchers and malicious actors to identify vulnerable machines exposed on the Internet. ZMap is one of the most common probing tools for high-speed Internet-wide scanning. We present novel identification methods based on the IPv4 iteration process of ZMap. These methods can be used to identify ZMap scans with a small number of addresses extracted from the scan. We conduct an experimental evaluation of these detection methods on synthetic, network telescope, and backbone traffic. We manage to identify 28.5% of the ZMap scans in real-world traffic. We then perform an in-depth characterization of these scans regarding, for example, targeted prefix and probing speed.