Internet-wide service discovery is used to figure out various characteristics about the Internet. It can also be used for tasks such as estimating the global impact of a known security virus or determining how Internet worms create massive botnets. Internet-wide service discovery is conducted by sending scanning packets to all Internet protocol (IP) addresses (232 for IPv4). However, this scanning method often faces a significant number of complaints and blocking.
The motivation of this paper is to unveil the causes of unsuccessful scanning. The paper analyzes the characteristics of scanners and their impacts, which include scan scope, scan order, number of scanning sources, partial scanning, types of scanning packets, scanning timeout and duration, and blacklisting. In addition, it proposes a novel metric (called politeness) that indicates the level of burden on remote networks. The analysis enables the design of a scanner that shows high performance and low complaints. Furthermore, the paper presents some interesting observations with the proposed scanner: the Internet is memoryless concerning scanners, there is no evidence of more complaints against the transmission control protocol (TCP) than the Internet control message protocol (ICMP), and network administrators are sensitive to traffic that clearly stands out rather than to scans on sensitive ports.
To reduce the number of complaints, the authors made a number of efforts such as inserting a detailed description of the scanning purpose in the scanning packet, quickly responding to complaint emails, and designing a scanner based on the politeness metric. However, the first two methods are not affordable to all scanning researchers. Thus, without the first two methods, the effect of the proposed scanner will be less than the presented experimental results.
