Identify globally situated IPv6 scanning entities

Develop reliable methods to identify globally situated IPv6 scanning entities that dispatch probes from multiple distributed IPv6 source addresses across networks, going beyond localizable scan-source aggregation (e.g., /128 and /64), so that related sources can be attributed to the same scanning entity.

Background

The paper defines scanners that may operate from single sources or from multiple locally and globally distributed addresses, making attribution to a single entity challenging. To avoid misattribution, the study focuses on localizable scan sources and analyzes both /128 and /64 aggregation levels when grouping sources.

Prior IPv6 scanner studies often identify scanners by individual addresses or /64 aggregation. However, attributing globally distributed scanning infrastructure—potentially spanning multiple prefixes and networks—remains complex, motivating a methodological advance for identification across distributed sources.

References

Identifying globally situated scanning entities is a complex task and we leave this for future work.

A Detailed Measurement View on IPv6 Scanners and Their Adaption to BGP Signals  (2506.20383 - Egloff et al., 25 Jun 2025) in Subsection 3.3 (Scanner, Sources, and Sessions), Scanner and scan sources