Cloud-hosted services represent an open measurement problem for ZMap because IPs are shared, ephemeral, and behind CDN layers, making traditional IP-to-service attribution unreliable. The paper identifies reconciling scan-based observation with cloud infrastructure as a key challenge for the next decade.

A decade of ZMap-based studies has produced documented operational norms including blocklist hygiene (organizations can opt out of scans via ZBlocklist) and ethical rate-limiting practices. The same blocklist infrastructure that protects opt-out organizations also provides a model for reducing proxy infrastructure visibility.

Abstract — operational practices / ZBlocklist tool evaluation

A decade of Internet-wide scanning practice has established that cloud-hosted services present a fundamental measurement ambiguity: IP ownership is ephemeral and shared, making per-IP findings unreliable and complicating the attribution of services to specific operators or censors.

Abstract (open problems) evaluation

IPv6 measurement remains an open problem for ZMap because the address space is too large for exhaustive single-packet enumeration, unlike IPv4. This asymmetry means IPv6-addressed infrastructure is structurally harder to enumerate via blocklisting.

Abstract — open problems evaluation

LZR, built on top of ZMap, can identify 99% of unexpected Internet services in five handshakes by acting as a shim between ZMap and ZGrab. This gives censors and researchers alike an efficient active-probing primitive to fingerprint proxy protocols at scale.

LZR tool description detection

ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes on a gigabit connection; with a 10 GigE connection and PF_RING, the same scan completes in 5 minutes. This makes Internet-wide enumeration of proxy infrastructure operationally trivial for any well-resourced actor.

Project overview evaluation

ZMap can scan the entire public IPv4 address space on a single port in under 45 minutes on a 1 Gbps connection; with a 10 GigE connection and PF_RING, the full IPv4 address space scan completes in 5 minutes. This throughput enables near-real-time Internet-wide enumeration of any service listening on a given port.

ZMap tool description evaluation

After a decade of ZMap-based measurement, the authors identify IPv6 scanning as an unresolved open problem: the vastly larger IPv6 address space makes exhaustive scanning infeasible, fundamentally changing the threat model for service discovery compared to IPv4.

Abstract (open problems) evaluation

'Resource Inaccessible' was the most frequently reported issue (61% of 119 submitted reports) during a month of naturalistic Tor Browser browsing, followed by CAPTCHAs (18%), Broken Content (17%), Other Issues (13%), and Timeouts (5%). These categories document the operational failure modes that degrade everyday Tor Browser usability beyond protocol-level censorship.

2026-micallef-reportor-facilitating-user §6.1, Figure 3 ip-blockingmeasurement-platform

The automated probe list generation system discovered 45.79 potentially blocked domains per 1,000 domains crawled, compared to 4.11 for FilteredWeb — over 10× higher efficacy. It uncovered 1,490 potentially blocked domains in crawls of just 71,960 URLs, versus 1,255 blocked domains found by Hounsel et al. in crawls of 1,000,000 URLs, with 1,473 of the 1,490 domains not overlapping with prior work.

2024-tang-automatic §5.5 measurement-platformdns-poisoningip-blocking

VPS-based vantage points in Singapore and India detected censorship patterns similar to 'free' locations, failing to observe blocking known to be enforced by local ISPs following government directives. This occurred because ISP-level censorship is implemented per-carrier rather than centrally, and the VPS provider's ISP did not enforce those blocks — confirmed by re-testing from a residential IP that did observe the expected blocks.

2024-tang-automatic §6.2 measurement-platformip-blocking

The authors' blockpage-based methodology cannot detect transit censorship implemented via TCP RST injection or packet drops, because distinguishing these from transient network errors requires identifying their location on the routing path. As a result, the 8-country, 6-AS finding is explicitly characterized as a lower bound on the true extent of Russian transit censorship.

2023-ortwein-towards §4.1 Gathering Blockpages / §6 Conclusion rst-injectionip-blockingmeasurement-platform

29 of 80 VPN providers — including paid services — configure clients to resolve DNS through third-party public resolvers (Google Public DNS, Cloudflare, OpenDNS, Quad9) rather than provider-operated infrastructure. Three self-hosted solutions (Algo, Streisand, Outline) hardcode public DNS with no easy override, causing connection failures in regions where those services are blocked.

2022-ramesh-vpnalyzer §VI (Fig. 5) ip-blockingmeasurement-platform

ICLab's commercial VPN vantage points reside in data-center ('content') ASes for 41% of monitored networks, which may experience less aggressive censorship than residential ISPs, making VPN-based measurements a systematic lower bound on blocking rates faced by ordinary users. In countries where both VPN and volunteer-operated device (VOD) vantages coexist, identical block pages were observed from both AS types, indicating similar overt blocking policies, but covert IP-based or RST-injection blocking may still differ by AS class.

2020-niaki-iclab §III-B measurement-platformip-blocking