Scanning Best Practices - zmap/zmap GitHub Wiki

We offer the following, updated set of best practices as a recommended starting point when conducting active measurements:

Minimize Internet Impact. While Internet scanning is a powerful research methodology, it can also affect systems and create work for operators. Consider whether existing open source datasets provide the data you need. If you do perform scans, conduct scans no larger or more frequent than necessary and at the minimum scan rate needed for your research objectives. Publish any scan data you collect.
Signal Intent. When possible, publish reverse DNS entries, IP WHOIS records, and a website that describes the scans. Ensure that operators can easily contact the research team.
Provide An Opt-Out Mechanism. Provide a simple mechanism for operators to request exclusion from future scans. Indicate the IP ranges you use for scanning so that operators can drop research traffic themselves.
Proactively Investigate Effects. Run newly developed scanning code against your own systems to ensure that you understand how scans might affect devices and appear in logs. Start with small experiments before completing full scans in case your scanner causes unexpected problems.
Coordinate Locally. Coordinate with your local IT and security teams to reduce the risk of overwhelming local networks, as well as to ensure that they know how to handle any inbound inquiries from operators.
Disclose Results. When appropriate, consider how you can improve the security of the systems you have scanned. Responsibly disclose security problems you uncover and consider notifying vulnerable system owners

For more information on how we think about best practices, see Ten Years of ZMap Section 6. To reference our best practices, please cite:

@inproceedings{durumeric2024ten,
  title={Ten Years of {ZMap}},
  author={Durumeric, Zakir and Adrian, David and Stephens, Phillip and Wustrow, Eric and Halderman, J Alex},
  booktitle={ACM Internet Measurement Conference},
  year={2024}
}