Block and Allow Lists - zmap/zmap GitHub Wiki

ZMap supports both blocklisting and allowlisting network prefixes. If ZMap is not provided with blocklist or allowlist parameters, ZMap will scan all IPv4 addresses (including local, reserved, and multicast addresses). If a blocklist file is specified, network prefixes in the blocklisted segments will not be scanned; if a allowlist file is provided, only network prefixes in the allowlist file will be scanned. A allowlist and blocklist file can be used in coordination; the blocklist has priority over the allowlist (e.g. if you have allowlisted 10.0.0.0/8 and blocklisted 10.1.0.0/16, then 10.1.0.0/16 will not be scanned). Allowlist and blocklist files can be specified on the command-line as follows:

  • -b, --blocklist-file=path File of subnets to blocklist in CIDR notation, e.g. 192.168.0.0/16
  • -w, --allowlist-file=path File of subnets to limit scan to in CIDR notation, e.g. 192.168.0.0/16

Blocklist files should be formatted with a single network prefix in CIDR notation per line. Comments are allowed using the # character. Example:

# From IANA IPv4 Special-Purpose Address Registry
# http://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
# Updated 2013-05-22

0.0.0.0/8           # RFC1122: "This host on this network"
10.0.0.0/8          # RFC1918: Private-Use
100.64.0.0/10       # RFC6598: Shared Address Space
127.0.0.0/8         # RFC1122: Loopback
169.254.0.0/16      # RFC3927: Link Local
172.16.0.0/12       # RFC1918: Private-Use
192.0.0.0/24        # RFC6890: IETF Protocol Assignments
192.0.2.0/24        # RFC5737: Documentation (TEST-NET-1)
192.88.99.0/24      # RFC3068: 6to4 Relay Anycast
192.168.0.0/16      # RFC1918: Private-Use
192.18.0.0/15       # RFC2544: Benchmarking
198.51.100.0/24     # RFC5737: Documentation (TEST-NET-2)
203.0.113.0/24      # RFC5737: Documentation (TEST-NET-3)
240.0.0.0/4         # RFC1112: Reserved
255.255.255.255/32  # RFC0919: Limited Broadcast

# From IANA Multicast Address Space Registry
# http://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml
# Updated 2013-06-25

224.0.0.0/4         # RFC5771: Multicast/Reserved

If you are looking to scan only a random portion of the internet, checkout https://github.com/zmap/zmap/wiki/Rate-Limiting-and-Sampling, instead of using allowlisting and blocklisting.

⚠️ Heads Up! The default ZMap configuration uses the blocklist file at /etc/zmap/blocklist.conf, which contains locally scoped address space and reserved IP ranges. The default configuration can be changed by editing /etc/zmap/zmap.conf.

For allowlists larger than 1M hosts, use -I, which allows a list of target IPs to scan. Note that this file must be specified using individual IP addresses, rather than CIDRs. ZMap output can be used as an input for -I. This may use more memory than an allowlist, if the IPs are grouped. However, it will be much more CPU efficient for disparate sets of IPs and for large allowlists. When using -I, you may need to adjust rate, as it can free up CPU to be used by the receive thread on low-end systems, or increase CPU, as sends may happen more quickly. This will depend on your scanning hardware.