{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T14:11:58Z","timestamp":1768313518145,"version":"3.49.0"},"reference-count":43,"publisher":"Association for Computing Machinery (ACM)","issue":"CoNEXT3","license":[{"start":{"date-parts":[[2023,11,27]],"date-time":"2023-11-27T00:00:00Z","timestamp":1701043200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100003246","name":"Netherlands Organisation for Scientific Research","doi-asserted-by":"crossref","award":["NWA.1215.18.003"],"award-info":[{"award-number":["NWA.1215.18.003"]}],"id":[{"id":"10.13039\/501100003246","id-type":"DOI","asserted-by":"crossref"}]},{"name":"German Federal Ministry of Education and Research","award":["16KIS1370"],"award-info":[{"award-number":["16KIS1370"]}]},{"DOI":"10.13039\/501100001659","name":"German Research Foundation","doi-asserted-by":"crossref","award":["CA595\/13-1"],"award-info":[{"award-number":["CA595\/13-1"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100006374","name":"Horizon 2020 Framework Programme","doi-asserted-by":"publisher","award":["101008468 and 101079774"],"award-info":[{"award-number":["101008468 and 101079774"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Netw."],"published-print":{"date-parts":[[2023,11,27]]},"abstract":"Internet-wide scans are an important tool to evaluate the deployment of services. To enable large-scale application layer scans, a fast, stateless port scan (e.g., using ZMap) is often performed ahead of time to collect responsive targets. It is a common expectation that port scans on the entire IPv4 address space provide a relatively unbiased view as they cover the complete address space. Previous work, however, has found prefixes where all addresses share particular properties. In IPv6, aliased prefixes and fully responsive prefixes, i.e., prefixes where all addresses are responsive, are a well-known phenomenon. However, there is no such in-depth analysis for prefixes with these responsiveness patterns in IPv4.<\/jats:p>\n This paper delves into the underlying factors of this phenomenon in the context of IPv4 and evaluates port scans on a total of 161 ports (142 TCP & 19 UDP ports) from three different vantage points. To account for packet loss and other scanning artifacts, we propose the notion of a new category of prefixes, which we call highly responsive prefixes (HRPs). Our findings show that the share of HRPs can make up 70% of responsive addresses on selected ports. Regarding specific ports, we observe that CDNs contribute to the largest fraction of HRPs on TCP\/80 and TCP\/443, while TCP proxies emerge as the primary cause of HRPs on other ports. Our analysis also reveals that application layer handshakes to targets outside HRPs are, depending on the chosen service, up to three times more likely to be successful compared to handshakes with targets located in HRPs. To improve future scanning campaigns conducted by the research community, we make our study's data publicly available and provide a tool for detecting HRPs. Furthermore, we propose an approach for a more efficient, ethical, and sustainable application layer target selection. We demonstrate that our approach has the potential to reduce the number of TLS handshakes by up to 75% during an Internet-wide scan while successfully obtaining 99 % of all unique certificates.<\/jats:p>","DOI":"10.1145\/3629146","type":"journal-article","created":{"date-parts":[[2023,11,28]],"date-time":"2023-11-28T15:40:05Z","timestamp":1701186005000},"page":"1-21","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["Packed to the Brim: Investigating the Impact of Highly Responsive Prefixes on Internet-wide Measurement Campaigns"],"prefix":"10.1145","volume":"1","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9375-3113","authenticated-orcid":false,"given":"Patrick","family":"Sattler","sequence":"first","affiliation":[{"name":"Technical University of Munich, Munich, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2918-016X","authenticated-orcid":false,"given":"Johannes","family":"Zirngibl","sequence":"additional","affiliation":[{"name":"Technical University of Munich, Munich, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5174-9140","authenticated-orcid":false,"given":"Mattijs","family":"Jonker","sequence":"additional","affiliation":[{"name":"University of Twente, Enschede, Netherlands"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3425-9331","authenticated-orcid":false,"given":"Oliver","family":"Gasser","sequence":"additional","affiliation":[{"name":"Max Planck Institute for Informatics, Saarbr\u00fccken, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2347-1839","authenticated-orcid":false,"given":"Georg","family":"Carle","sequence":"additional","affiliation":[{"name":"Technical University of Munich, Munich, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9614-2377","authenticated-orcid":false,"given":"Ralph","family":"Holz","sequence":"additional","affiliation":[{"name":"University of M\u00fcnster, M\u00fcnster, Netherlands"}]}],"member":"320","published-online":{"date-parts":[[2023,11,28]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664285"},{"key":"e_1_2_1_2_1","volume-title":"Scanning the Internet for Liveness. ACM SIGCOMM Computer Communication Review","author":"Bano Shehar","year":"2018","unstructured":"Shehar Bano, Philipp Richter, Mobin Javed, Srikanth Sundaresan, Zakir Durumeric, Steven J. Murdoch, Richard Mortier, and Vern Paxson. 2018. Scanning the Internet for Liveness. ACM SIGCOMM Computer Communication Review (2018)."},{"key":"e_1_2_1_3_1","volume-title":"Rohrer","author":"Beverly Robert","year":"2013","unstructured":"Robert Beverly, William Brinkmeyer, Matthew Luckie, and Justin P. Rohrer. 2013. IPv6 Alias Resolution via Induced Fragmentation. In Proc. Passive and Active Measurement (PAM)."},{"key":"e_1_2_1_4_1","unstructured":"Cloudflare. 2019. It's crowded in here! https:\/\/blog.cloudflare.com\/its-crowded-in-here\/"},{"key":"e_1_2_1_5_1","unstructured":"Cloudflare. 2021. Unbuckling the narrow waist of IP: Addressing Agility for Names and Web Services. https:\/\/blog.cloudflare.com\/addressing-agility\/"},{"key":"e_1_2_1_6_1","unstructured":"Cloudflare. 2023. Cloudflare Spectrum. https:\/\/www.cloudflare.com\/products\/cloudflare-spectrum\/"},{"key":"e_1_2_1_7_1","unstructured":"Cloudflare. 2023. Cloudflare Spectrum - Network ports. https:\/\/developers.cloudflare.com\/fundamentals\/get-started\/reference\/network-ports\/"},{"key":"e_1_2_1_8_1","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Costin Andrei","year":"2014","unstructured":"Andrei Costin, Jonas Zaddach, Aur\u00e9lien Francillon, and Davide Balzarotti. 2014. A Large-Scale Analysis of the Security of Embedded Firmwares. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 95--110."},{"key":"e_1_2_1_9_1","doi-asserted-by":"crossref","unstructured":"David Dittrich Erin Kenneally et al. 2012. The Menlo Report: Ethical principles guiding information and communication technology research. US Department of Homeland Security (2012).","DOI":"10.2139\/ssrn.2445102"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","unstructured":"J. Durand I. Pepelnjak and G. Doering. 2015. BGP Operations and Security. RFC 7454 (Best Current Practice). https:\/\/doi.org\/10.17487\/RFC7454","DOI":"10.17487\/RFC7454"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security","author":"Durumeric Zakir","unstructured":"Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A Search Engine Backed by Internet-Wide Scanning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS '15). Association for Computing Machinery, New York, NY, USA, 542--553."},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the 2014 Conference on Internet Measurement Conference","author":"Durumeric Zakir","unstructured":"Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (Vancouver, BC, Canada) (IMC '14). Association for Computing Machinery, New York, NY, USA, 475--488."},{"key":"e_1_2_1_13_1","volume-title":"Proc. USENIX Security Symposium. Washington, D.C., USA.","author":"Durumeric Zakir","unstructured":"Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In Proc. USENIX Security Symposium. Washington, D.C., USA."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3452296.3472922"},{"key":"e_1_2_1_15_1","volume-title":"In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements. In Passive and Active Measurement Conference","author":"Gasser Oliver","year":"2018","unstructured":"Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, and Georg Carle. 2018. In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements. In Passive and Active Measurement Conference 2018."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278564"},{"key":"e_1_2_1_17_1","volume-title":"Proc. 8th Int. Workshop on Traffic Monitoring and Analysis. Louvain-la-Neuve, Belgium.","author":"Gasser Oliver","year":"2016","unstructured":"Oliver Gasser, Quirin Scheitle, Sebastian Gebhard, and Georg Carle. 2016. Scanning the IPv6 Internet: Towards a Comprehensive Hitlist. In Proc. 8th Int. Workshop on Traffic Monitoring and Analysis. Louvain-la-Neuve, Belgium."},{"key":"e_1_2_1_18_1","unstructured":"Oliver Gasser Markus Sosnowski Patrick Sattler and Johannes Zirngibl. 2023. Goscanner. Retrieved 2023-03--24 from https:\/\/github.com\/tumi8\/goscanner"},{"key":"e_1_2_1_19_1","unstructured":"Robert Graham. [n. d.]. MASSCAN: Mass IP port scanner. https:\/\/github.com\/robertdavidgraham\/masscan"},{"key":"e_1_2_1_20_1","unstructured":"Marcia Hofmann. 2013. Legal Considerations for Widespread Scanning. Retrieved 2023-09--26 from https:\/\/www.rapid7.com\/blog\/post\/2013\/10\/30\/legal-considerations-for-widespread-scanning\/"},{"key":"e_1_2_1_21_1","unstructured":"https:\/\/csirt.divd.nl\/. 2023. Making the internet safer through Coordinated Vulnerability Disclosure. Retrieved 2023-03--24 from https:\/\/csirt.divd.nl\/"},{"key":"e_1_2_1_22_1","unstructured":"ICANN. 2023. CZDS - Centralized Zone Data Service. Retrieved 2023--10-05 from https:\/\/czds.icann.org\/"},{"key":"e_1_2_1_23_1","volume-title":"Proc. USENIX Security Symposium. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/izhikevich","author":"Izhikevich Liz","year":"2021","unstructured":"Liz Izhikevich, Renata Teixeira, and Zakir Durumeric. 2021. LZR: Identifying Unexpected Internet Services. In Proc. USENIX Security Symposium. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/izhikevich"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3544216.3544249"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987457"},{"key":"e_1_2_1_26_1","volume-title":"Proc. ACM Int. Measurement Conference (IMC)","author":"Luckie Matthew","unstructured":"Matthew Luckie, Robert Beverly, William Brinkmeyer, and kc claffy. 2013. Speedtrap: Internet-Scale IPv6 Alias Resolution. In Proc. ACM Int. Measurement Conference (IMC) (Barcelona, Spain)."},{"key":"e_1_2_1_27_1","unstructured":"MANRS. 2021. Prefix filter configuration tools. https:\/\/www.manrs.org\/isps\/guide\/filtering\/"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131405"},{"key":"e_1_2_1_29_1","unstructured":"University of Oregon. 2023. University of Oregon Route Views Project. http:\/\/www.routeviews.org\/routeviews\/"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-15509-8_11"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2896816"},{"key":"e_1_2_1_32_1","unstructured":"The ZMap Project. 2023. ZGrab 2.0. Retrieved 2023-03--24 from https:\/\/github.com\/zmap\/zgrab2"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","unstructured":"Patrick Sattler Johannes Zirngibl Mattijs Jonker Oliver Gasser Georg Carle and Ralph Holz. 2023. Data and Analysis at TUM University Library. https:\/\/mediatum.ub.tum.de\/1723389 doi:10.14459\/2023mp1723389.","DOI":"10.14459\/2023mp1723389"},{"key":"e_1_2_1_34_1","unstructured":"Patrick Sattler Johannes Zirngibl Mattijs Jonker Oliver Gasser Georg Carle and Ralph Holz. 2023. HRP Website with data. Retrieved 2023--10-05 from https:\/\/hrp-stats.github.io\/"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3544912.3544916"},{"key":"e_1_2_1_36_1","unstructured":"Shadowserver. 2023. Shadowserver - Lighting the way to a more secure Internet. Retrieved 2023-03--24 from https:\/\/www.shadowserver.org\/"},{"key":"e_1_2_1_37_1","unstructured":"Shodan. 2023. Shodan Dashboard. Retrieved 2023-03--24 from https:\/\/www.shodan.io\/dashboard"},{"key":"e_1_2_1_38_1","unstructured":"Rapid7 Project Sonar. 2023. Open Data. Retrieved 2023-03--24 from https:\/\/opendata.rapid7.com\/"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2016.2558918"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3419394.3424214"},{"key":"e_1_2_1_41_1","volume-title":"Proc. Network Traffic Measurement and Analysis Conference (TMA)","author":"Zirngibl Johannes","year":"2022","unstructured":"Johannes Zirngibl, Steffen Deusch, Patrick Sattler, Juliane Aulbach, Georg Carle, and Mattijs Jonker. 2022. Domain Parking: Largely Present, Rarely Considered!. In Proc. Network Traffic Measurement and Analysis Conference (TMA) 2022."},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW59978.2023.00058"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3517745.3561440"}],"container-title":["Proceedings of the ACM on Networking"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3629146","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3629146","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T00:03:22Z","timestamp":1755907402000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3629146"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,27]]},"references-count":43,"journal-issue":{"issue":"CoNEXT3","published-print":{"date-parts":[[2023,11,27]]}},"alternative-id":["10.1145\/3629146"],"URL":"https:\/\/doi.org\/10.1145\/3629146","relation":{},"ISSN":["2834-5509"],"issn-type":[{"value":"2834-5509","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11,27]]},"assertion":[{"value":"2023-11-28","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}