Scanning the internet for liveness26 Jun 2018
Internet-wide scanning depends on a notion of liveness: does a tar- get IP address respond to a probe packet? However, the interpreta- tion of such responses, or lack of them, is nuanced and depends on multiple factors, including: how we probed, how different proto- cols in the network stack interact, the presence of filtering policies near the target, and temporal churn in IP responsiveness. Although often neglected, these factors can significantly affect the results of active measurement studies. We develop a taxonomy of liveness which we employ to develop a method to perform concurrent IPv4 scans using ICMP, five TCP-based, and two UDP-based protocols, comprehensively capturing all responses to our probes, including negative and cross-layer responses. Leveraging our methodology, we present a systematic analysis of liveness and how it manifests in active scanning campaigns, yielding practical insights and method- ological improvements for the design and the execution of active Internet measurement studies.