VistaScan: Optimizing Internet-Wide Scanning Through Visibility-Aware Distributed Task Allocation
Abstract
1. Introduction
- The first formalization and large-scale validation of Visibility Consistency. We discover and formally characterize the phenomenon that visibility remains consistent within blocks, enabling the use of a few representative IPs to infer whole-block visibility. We formulate this concept using Jaccard similarity and empirically establish /23 blocks as the optimal task allocation unit.
- A lightweight method for efficient and scalable quantification of per-node visibility. We show that using three anchor IPs from different probing sources is a practical and effective heuristic for characterizing block-level visibility. We also propose two anchor selection methods and construct a node–CIDR visibility matrix, where each value in the continuous range [0,1] reflects a node’s proficiency in probing a block.
- The design and implementation of the VistaScan system. VistaScan comprises four modules: CIDR Partitioning, Anchor Selection, Visibility Matrix Construction, and Load-Aware Task Allocation, significantly improving the performance of distributed Internet measurement by streamlining evaluation, quantifying capability, optimizing assignment, and pruning infeasible work.
2. Background and Motivation
2.1. Heterogeneity in Node Visibility
2.2. Limitations of Existing Allocation Strategies
2.3. Problem Formalization and Key Insight
3. VistaScan System Design
3.1. CIDR Partitioning
- 1.
- IP-to-Country Mapping: Each IP address is mapped to its corresponding country or region using the MaxMind GeoLite2 database. This initial grouping takes advantage of the premise that IPs within the same geographic region are more likely to share network infrastructure and visibility characteristics.
- 2.
- Canonical Splitting: Address blocks larger than a /23 prefix are split into /23 CIDR blocks. This specific size was selected based on the analysis in Appendix C.3, which found it to be the optimal trade-off between Visibility Consistency and management overhead.
3.2. Anchor Selection
- 1.
- Historical Data-Based Selection: This approach utilizes existing probing results, requiring no additional probing overhead beyond the main task. Although computationally efficient, its main limitation is the potential lack of timeliness in anchor IP availability, as the historical data may not reflect the current network state.
- 2.
- Instant Probing-Based Selection: This method involves initiating a targeted, rapid random probe for a single IP within each target CIDR block by pre-configured nodes. The results of these probes are then aggregated to generate the final anchor list. The principal advantage of this method is the strong timeliness and freshness of the anchors obtained. However, it introduces additional probing overhead and latency before the main scan can begin.
| Algorithm 1 Historical Data-Based Anchor IP Selection | |
| Require: Set of distributed nodes: | |
| Require: Sorted IP lists from each node’s scan results: | |
| Require: List of target CIDR blocks: C | |
| Ensure: Representative IP list R | |
| Ensure: Mapping M from CIDR blocks to representative IPs | |
| 1: | ▹ Initialize representative IP list |
| 2: | ▹ Initialize CIDR-to-IP mapping |
| 3: for each CIDR block in C do | |
| 4: | ▹ Initialize set for candidate IPs per block |
| 5: for each node in N do | |
| 6: | ▹ Binary search for IPs in CIDR |
| 7: if then | |
| 8: | ▹ Random selection per node |
| 9: | ▹ Add to candidate set |
| 10: end if | |
| 11: end for | |
| 12: | ▹ Preserve order while removing duplicates |
| 13: if then | |
| 14: | ▹ Select up to 3 unique IPs |
| 15: | ▹ Add to final representative list |
| 16: for each IP in F do | |
| 17: | ▹ Add to CIDR-to-IP mapping |
| 18: end for | |
| 19: end if | |
| 20: end for | |
| 21: return | |
3.3. Visibility Matrix Construction
| Algorithm 2 Build Visibility Matrix M | |
| Require: | ▹ Map: Block c to its anchor lists |
| 1: | ▹ Map: Node n to its set of visible anchors |
| 2: | ▹ Lists of all nodes and CIDR blocks |
| Ensure: Visibility Matrix | |
| 3: | ▹ Initialize IP-to-Block mapping |
| 4: for do | |
| 5: for do | |
| 6: | |
| 7: end for | |
| 8: end for | |
| 9: for do | ▹ For each node |
| 10: | ▹ Initialize per-block counter |
| 11: for do | ▹ For each anchor visible to node n |
| 12: if then | |
| 13: | |
| 14: | |
| 15: end if | |
| 16: end for | |
| 17: for do | ▹ Compute final scores |
| 18: | |
| 19: end for | |
| 20: end for | |
3.4. Load-Aware Task Allocation
| Algorithm 3 Load-Aware Task Allocation | |
| Require: : List of CIDR blocks | |
| 1: : Visibility matrix ( nodes × blocks) | |
| 2: : List of distributed nodes | |
| Ensure: : Block-to-node assignment | |
| 3: : Node load counts | |
| 4: , for all | |
| 5: | ▹ Blocks with |
| 6: | ▹ Blocks not in or with |
| 7: for each block do | |
| 8: if then | |
| 9: | |
| 10: else | |
| 11: | ▹ For future implementation |
| 12: end if | |
| 13: end for | |
| 14: for each block do | |
| 15: | |
| 16: | |
| 17: if then | |
| 18: | |
| 19: else | |
| 20: | |
| 21: end if | |
| 22: , | |
| 23: end for | |
| 24: return , | |
4. Evaluation
4.1. Experimental Setup
- Centralized: A single node (e.g., US) scans the entire target list. This baseline highlights the advantages of a distributed architecture over a traditional centralized approach.
- Union-of-All: All five nodes independently and simultaneously scan the entire target set. The final result is the Union-of-All their outputs. This provides the absolute upper bound for the coverage achievable by any distributed system with these five vantage points, serving as a key reference for evaluating the coverage efficiency of VistaScan and other methods.
- Naive-Distributed-Random: The original, unsplit target list of IPs is randomly and uniformly assigned to the five nodes. This evaluates a simple distributed strategy without intelligent partitioning or allocation.
- Partitioned-Distributed-Random: The target IP space is first partitioned into /23 CIDR blocks using the VistaScan CIDR partitioning module. Then, this list of blocks is randomly and uniformly assigned to the five nodes. This baseline isolates the performance gain that is only attributable to the CIDR partitioning step.
- Geo-Heuristic: Targets are assigned to the geographically closest node to them (for example, Brazilian IPs to the BR node). This baseline is only used for the Regional task and represents a common geographic-driven heuristic.
- Global Coverage: The total number of unique IP addresses that respond. To contextualize this absolute value and measure the efficiency of a method’s coverage, we also report it as a percentage of the total unique IPs found by the Union-of-All baseline. This relative measure indicates how close a method gets to the theoretical maximum coverage achievable with the given set of vantage points.
- Total Packets Sent: The aggregate number of probe packets sent by all nodes, indicating the overall network overhead and efficiency of the method.
- Total Completion Time: The wall-clock time from the start of the first probe to the completion of the last probe across all nodes.
- Node Load Balance: The standard deviation of the number of scanning IP addresses assigned to each node, quantifying the fairness workload distribution.
4.2. Coverage Analysis
4.3. Efficiency Analysis: Overhead and Completion Time
4.4. Load Balance Analysis
5. Discussion and Limitations
- Streamlining Evaluation: The Visibility Consistency principle enables the inference of full-block visibility from a few anchor IPs, dramatically lowering the assessment overhead through targeted probing rather than full-block scanning.
- Quantifying Capability: We design two anchor selection methods and then build the Visibility Matrix through lightweight probing of anchor IPs, in which are the per-node visibility scores for each block.
- Optimizing Assignment: Using the Visibility Matrix to assign each block to the node with the highest probability of seeing it (the “most capable” node), while simultaneously balancing the load.
- Pruning Infeasible Work: Intelligently discarding blocks for which no node has significant visibility, thus eliminating ineffective probing.
6. Related Works
7. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
Appendix A. Ethical Considerations
Appendix B. Scanning Rate Calibration

Appendix C. The Key Insight: Visibility Consistency Within CIDR Blocks
Appendix C.1. Problem Formulation and Definition
- indicates perfect consistency (all IPs in B have identical visibility patterns);
- indicates no consistency (all IP pairs have completely dissimilar visibility patterns);
- Higher values indicate stronger Visibility Consistency within the block.
Appendix C.2. Verification and Analysis

- High Intra-Block Consistency: The median consistency score is consistently 1.00 across all block sizes. This indicates that for most blocks, knowing the visibility of one IP perfectly predicts the visibility of all others within the same block. The visibility vector of any IP is essentially interchangeable with that of its neighbors.
- Stability Across Scales: The mean consistency remains notably high (above 0.91) across all regularly-sized blocks. This demonstrates that Visibility Consistency is an inherent property driven by network routing and filtering policies, not an artifact of observation scale.
- Existence of Outliers: The standard deviation and the lower quartile values confirm the existence of blocks with lower internal consistency. These typically represent complex network environments such as multi-homed prefixes or blocks employing fine-grained, IP-specific filtering policies.
Appendix C.3. Selecting the Optimal Block Size
- High Absolute Consistency: It maintains a high mean consistency score of 0.934, ensuring the core premise of our method holds.
- Favorable Proportion of Difficult Blocks: The proportion of blocks with consistency below 0.90 (21.6%) is among the lowest for regularly-sized splits, minimizing the potential for misrepresentation by anchors.
- Superior Manageability: With 8798 blocks, it provides an ample number of tasks to enable efficient load balancing across our distributed nodes, without incurring the excessive overhead of managing tens of thousands of smaller blocks.
| Mask | Count | Mean | Median | Std | Q1 | Q3 | Prop. < 0.95 | Prop. < 0.90 |
|---|---|---|---|---|---|---|---|---|
| Original | 595 | 0.9511 | 1.0000 | 0.1211 | 0.9623 | 1.0000 | 0.2151 | 0.1361 |
| 20 | 2161 | 0.9306 | 1.0000 | 0.1248 | 0.9111 | 1.0000 | 0.3318 | 0.2272 |
| 21 | 3455 | 0.9325 | 1.0000 | 0.1268 | 0.9176 | 1.0000 | 0.3146 | 0.2272 |
| 22 | 5595 | 0.9355 | 1.0000 | 0.1231 | 0.9200 | 1.0000 | 0.3001 | 0.2193 |
| 23 | 8798 | 0.9341 | 1.0000 | 0.1281 | 0.9222 | 1.0000 | 0.2851 | 0.2157 |
| 24 | 12,994 | 0.9305 | 1.0000 | 0.1352 | 0.9200 | 1.0000 | 0.2872 | 0.2212 |
| 25 | 18,909 | 0.9252 | 1.0000 | 0.1457 | 0.9053 | 1.0000 | 0.2928 | 0.2330 |
| 26 | 26,194 | 0.9204 | 1.0000 | 0.1530 | 0.9000 | 1.0000 | 0.2964 | 0.2458 |
| 27 | 35,710 | 0.9140 | 1.0000 | 0.1632 | 0.8930 | 1.0000 | 0.3066 | 0.2529 |
| 28 | 48,232 | 0.9122 | 1.0000 | 0.1765 | 0.9000 | 1.0000 | 0.3001 | 0.2447 |
Appendix D. Criteria for Anchor IP Selection
- Representativeness: The selected IPs should be representative of their block; that is, if a node can see a given anchor IP, it should be able to see the vast majority of IPs within that block. The principle of Visibility Consistency explicitly validates the representativeness of anchor IPs. In theory, the chosen IPs should exhibit the most prevalent visibility pattern within the block.
- Discriminative Power: IPs with significant variation in visibility between different nodes should be selected. Divergent probing results for an IP from different nodes help highlight the differences in their coverage capabilities.
- Quantity: Due to the existence of Visibility Consistency, a single IP could, in theory, represent an entire block, offering the lowest probing and maintenance overhead. However, we opt against using just one IP for two reasons. First, a considerable proportion of blocks exhibit poor Visibility Consistency, where a single IP cannot guarantee representativeness for the whole block. Second, a single IP introduces a point of failure; if that specific IP goes offline, it could lead to the erroneous conclusion that the entire block is unreachable, thereby compromising the accuracy of all subsequent processes and the entire methodology. Hence, a multi-anchor strategy is necessary. The multi-anchor strategy also enables the visibility of a node to a block to be represented as a score value rather than a simple binary value. This scoring provides fine-grained differentiation, directly reflecting the node’s proficiency with the block, and tasks can be assigned based on these scores. Conversely, the number of anchors should not be excessively large, as too many would increase the probing and management overhead.
References
- Kaur, J.; Ramkumar, K. The recent trends in cyber security: A review. J. King Saud-Univ.-Comput. Inf. Sci. 2022, 34, 5766–5781. [Google Scholar] [CrossRef]
- Durumeric, Z.; Clark, H.; Cody, J.; Cubit, E.; Ellison, M.; Izhikevich, L.; Mirian, A. Censys: A Map of Internet Hosts and Services. In Proceedings of the ACM SIGCOMM 2025 Conference, Coimbra, Portugal, 8–11 September 2025; pp. 147–163. [Google Scholar]
- Durumeric, Z.; Adrian, D.; Stephens, P.; Wustrow, E.; Halderman, J.A. Ten years of zmap. In Proceedings of the 2024 ACM on Internet Measurement Conference, Madrid, Spain, 4–6 November 2024; pp. 139–148. [Google Scholar]
- Beurdouche, B.; Bhargavan, K.; Delignat-Lavaud, A.; Fournet, C.; Kohlweiss, M.; Pironti, A.; Strub, P.Y.; Zinzindohoue, J.K. A messy state of the union: Taming the composite state machines of TLS. Commun. ACM 2017, 60, 99–107. [Google Scholar] [CrossRef]
- Checkoway, S.; Niederhagen, R.; Everspaugh, A.; Green, M.; Lange, T.; Ristenpart, T.; Bernstein, D.J.; Maskiewicz, J.; Shacham, H.; Fredrikson, M. On the practical exploitability of dual {EC} in {TLS} implementations. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, USA, 20–22 August 2014; pp. 319–335. [Google Scholar]
- Bano, S.; Richter, P.; Javed, M.; Sundaresan, S.; Durumeric, Z.; Murdoch, S.J.; Mortier, R.; Paxson, V. Scanning the internet for liveness. ACM SIGCOMM Comput. Commun. Rev. 2018, 48, 2–9. [Google Scholar] [CrossRef]
- Cai, X.; Heidemann, J. Understanding block-level address usage in the visible internet. In Proceedings of the ACM SIGCOMM 2010 Conference, New Delhi, India, 30 August–3 September 2010; pp. 99–110. [Google Scholar]
- Padmanabhan, R.; Dhamdhere, A.; Aben, E.; Claffy, K.; Spring, N. Reasons dynamic addresses change. In Proceedings of the 2016 Internet Measurement Conference, Santa Monica, CA, USA, 14–16 November 2016; pp. 183–198. [Google Scholar]
- Quan, L.; Heidemann, J.; Pradkin, Y. When the Internet sleeps: Correlating diurnal networks with external factors. In Proceedings of the 2014 Conference on Internet Measurement Conference, Vancouver, BC, Canada, 5–7 November 2014; pp. 87–100. [Google Scholar]
- Luo, Y.; Li, C.; Wang, Z.; Yang, J. IPREDS: Efficient prediction system for Internet-wide port and service scanning. Proc. ACM Netw. 2024, 2, 1–24. [Google Scholar] [CrossRef]
- Song, G.; He, L.; Zhao, T.; Luo, Y.; Wu, Y.; Fan, L.; Li, C.; Wang, Z.; Yang, J. Which doors are open: Reinforcement learning-based internet-wide port scanning. In Proceedings of the 2023 IEEE/ACM 31st International Symposium on Quality of Service (IWQoS), Orlando, FL, USA, 19–21 June 2023; IEEE: New York, NY, USA, 2023; pp. 1–10. [Google Scholar]
- Izhikevich, L.; Teixeira, R.; Durumeric, Z. Predicting IPv4 services across all ports. In Proceedings of the ACM SIGCOMM 2022 Conference, Amsterdam, The Netherlands, 22–26 August 2022; pp. 503–515. [Google Scholar]
- Richter, P.; Smaragdakis, G.; Plonka, D.; Berger, A. Beyond counting: New perspectives on the active IPv4 address space. In Proceedings of the 2016 Internet Measurement Conference, Santa Monica, CA, USA, 14–16 November 2016; pp. 135–149. [Google Scholar]
- Holz, R.; Amann, J.; Mehani, O.; Wachs, M.; Kaafar, M.A. TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication. arXiv 2015, arXiv:1511.00341. [Google Scholar]
- Pujol, E.; Richter, P.; Chandrasekaran, B.; Smaragdakis, G.; Feldmann, A.; Maggs, B.M.; Ng, K.C. Back-office web traffic on the internet. In Proceedings of the 2014 Conference on Internet Measurement Conference, Vancouver, BC, Canada, 5–7 November 2014; pp. 257–270. [Google Scholar]
- Durumeric, Z.; Adrian, D.; Mirian, A.; Kasten, J.; Bursztein, E.; Lidzborski, N.; Thomas, K.; Eranti, V.; Bailey, M.; Halderman, J.A. Neither snow nor rain nor MITM…: An empirical analysis of email delivery security. In Proceedings of the 2015 Internet Measurement Conference, Tokyo, Japan, 28–30 October 2015; pp. 27–39. [Google Scholar]
- Beverly, R. Yarrp’ing the Internet: Randomized high-speed active topology discovery. In Proceedings of the 2016 Internet Measurement Conference, Santa Monica, CA, USA, 14–16 November 2016; pp. 413–420. [Google Scholar]
- Vermeulen, K.; Rohrer, J.P.; Beverly, R.; Fourmaux, O.; Friedman, T. {Diamond-Miner}: Comprehensive Discovery of the Internet’s Topology Diamonds. In Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), Santa Clara, CA, USA, 25–27 February 2020; pp. 479–493. [Google Scholar]
- Aviram, N.; Schinzel, S.; Somorovsky, J.; Heninger, N.; Dankel, M.; Steube, J.; Valenta, L.; Adrian, D.; Halderman, J.A.; Dukhovni, V.; et al. {DROWN}: Breaking {TLS} using {SSLv2}. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA, 10–12 August 2016; pp. 689–706. [Google Scholar]
- Adrian, D.; Bhargavan, K.; Durumeric, Z.; Gaudry, P.; Green, M.; Halderman, J.A.; Heninger, N.; Springall, D.; Thomé, E.; Valenta, L.; et al. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; pp. 5–17. [Google Scholar]
- Amann, J.; Gasser, O.; Scheitle, Q.; Brent, L.; Carle, G.; Holz, R. Mission accomplished? HTTPS security after DigiNotar. In Proceedings of the 2017 Internet Measurement Conference, London, UK, 1–3 November 2017; pp. 325–340. [Google Scholar]
- Durumeric, Z.; Wustrow, E.; Halderman, J.A. {ZMap}: Fast internet-wide scanning and its security applications. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security 13), Washington, DC, USA, 14–16 August 2013; pp. 605–620. [Google Scholar]
- GitHub—Robertdavidgraham/Masscan: TCP Port Scanner, Spews SYN Packets Asynchronously, Scanning Entire Internet in Under 5 Minutes—github.com. Available online: https://github.com/robertdavidgraham/masscan (accessed on 8 September 2025).
- Lyon, G.F. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning; Insecure: Sunnyvale, CA, USA, 2009. [Google Scholar]
- McDonald, A.; Bernhard, M.; Valenta, L.; VanderSloot, B.; Scott, W.; Sullivan, N.; Halderman, J.A.; Ensafi, R. 403 forbidden: A global view of CDN geoblocking. In Proceedings of the Internet Measurement Conference 2018, Boston, MA, USA, 31 October–2 November 2018; pp. 218–230. [Google Scholar]
- Chung, T.; Liu, Y.; Choffnes, D.; Levin, D.; Maggs, B.M.; Mislove, A.; Wilson, C. Measuring and applying invalid SSL certificates: The silent majority. In Proceedings of the 2016 Internet Measurement Conference, Santa Monica, CA, USA, 14–16 November 2016; pp. 527–541. [Google Scholar]
- Hastings, M.; Fried, J.; Heninger, N. Weak keys remain widespread in network devices. In Proceedings of the 2016 Internet Measurement conference, Santa Monica, CA, USA, 14–16 November 2016; pp. 49–63. [Google Scholar]
- Wan, G.; Izhikevich, L.; Adrian, D.; Yoshioka, K.; Holz, R.; Rossow, C.; Durumeric, Z. On the origin of scanning: The impact of location on internet-wide scans. In Proceedings of the ACM Internet Measurement Conference, Virtual, 27–29 October 2020; pp. 662–679. [Google Scholar]
- Cao, Y.; Chen, F.; Quan, X.; Zhou, K. DLCAS: Distributed Large-scale Cyberspace Asynchronous Scanning Framework. In Proceedings of the 2024 IEEE 24th International Conference on Communication Technology (ICCT), Chengdu, China, 18–20 October 2024; IEEE: New York, NY, USA, 2024; pp. 1117–1124. [Google Scholar]
- Li, L.; Wang, Y.; Zhu, D.; Li, X.; Du, H.; Lu, Y.; Qu, R.; Higgs, R. Dis-NDVW: Distributed Network Asset Detection and Vulnerability Warning Platform. Comput. Mater. Contin. 2023, 76, 771. [Google Scholar] [CrossRef]
- Xiaopeng, T.; Di, T. A distributed vulnerability scanning on machine learning. In Proceedings of the 2019 6th International Conference on Information Science and Control Engineering (ICISCE), Shanghai, China, 20–22 December 2019; IEEE Computer Society: New York, NY, USA, 2019; pp. 32–35. [Google Scholar]
- Xue, P.; Shen, Y.; Ma, H.; Hu, M. An Area-Aware Efficient Internet-Wide Port Scan Approach for IoT. Electronics 2025, 14, 1267. [Google Scholar] [CrossRef]
- Heidemann, J.; Quan, L.; Pradkin, Y. A preliminary Analysis of Network Outages During Hurricane Sandy; University of Southern California, Information Sciences Institute: Marina del Rey, CA, USA, 2012. [Google Scholar]
- Schulman, A.; Spring, N. Pingin’in the rain. In Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, Berlin, Germany, 2–4 November 2011; pp. 19–28. [Google Scholar]
- Tozal, M.E.; Sarac, K. Estimating network layer subnet characteristics via statistical sampling. In International Conference on Research in Networking; Springer: Berlin/Heidelberg, Germany, 2012; pp. 274–288. [Google Scholar]
- Lee, Y. Improving Accuracy and Efficiency of Network Measurement by Identifying Homogeneous IPV4 Addresses. Ph.D. Thesis, University of Maryland, College Park, MD, USA, 2017. [Google Scholar]
- Bush, R.; Hiebert, J.; Maennel, O.; Roughan, M.; Uhlig, S. Testing the reachability of (new) address space. In Proceedings of the 2007 SIGCOMM Workshop on Internet Network Management, Kyoto, Japan, 27–31 August 2007; pp. 236–241. [Google Scholar]
- Kardes, H.; Gunes, M.; Oz, T. Cheleby: A subnet-level internet topology mapping system. In Proceedings of the 2012 Fourth International Conference on Communication Systems and Networks (COMSNETS 2012), Bangalore, India, 3–7 January 2012; IEEE: New York, NY, USA, 2012; pp. 1–10. [Google Scholar]
- GitHub—zmap/zmap: ZMap Is a Fast Single Packet Network Scanner Designed for Internet-Wide Network Surveys—github.com. Available online: https://github.com/zmap/zmap (accessed on 1 September 2025).
- Adrian, D.; Durumeric, Z.; Singh, G.; Halderman, J.A. Zippier {ZMap}:{internet-wide} scanning at 10 GBPS. In Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT 14), San Diego, CA, USA, 19 August 2014. [Google Scholar]
- GitHub—zmap/zgrab2: Fast Application Layer Scanner—github.com. Available online: https://github.com/zmap/zgrab2 (accessed on 1 September 2025).
- Izhikevich, L.; Teixeira, R.; Durumeric, Z. {LZR}: Identifying unexpected internet services. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21), Virtual Event, 11–13 August 2021; pp. 3111–3128. [Google Scholar]
- Deri, L. Improving passive packet capture: Beyond device polling. In Proceedings of the SANE, Amsterdam, The Netherlands, 30 September 2004; Volume 2004, pp. 85–93. [Google Scholar]
- Han, S.; Jang, K.; Park, K.; Moon, S. PacketShader: A GPU-accelerated software router. ACM SIGCOMM Comput. Commun. Rev. 2010, 40, 195–206. [Google Scholar]
- Rizzo, L. netmap: A novel framework for fast packet I/O. In Proceedings of the 21st USENIX Security Symposium (USENIX Security 12), Bellevue, WA, USA, 8–10 August 2012; pp. 101–112. [Google Scholar]
- Sarabi, A.; Jin, K.; Liu, M. Smart internet probing: Scanning using adaptive machine learning. In Game Theory and Machine Learning for Cyber Security; John Wiley & Sons: Hoboken, NJ, USA, 2021; pp. 411–437. [Google Scholar]
- Chen, T.; Guestrin, C. Xgboost: A scalable tree boosting system. In Proceedings of the 22nd ACM Sigkdd International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, USA, 13–17 August 2016; pp. 785–794. [Google Scholar]
- Song, G.; He, L.; Chen, T.; Lin, J.; Fan, L.; Wen, K.; Wang, Z.; Yang, J. PMap: Reinforcement Learning-Based Internet-Wide Port Scanning. IEEE/ACM Trans. Netw. 2024, 32, 5524–5538. [Google Scholar]








| Node | Location | OS | Hardware |
|---|---|---|---|
| JP | Tokyo, Japan | Ubuntu 20.04 LTS | 2 vCPU/4 GB RAM/100 Mbps |
| BR | São Paulo, Brazil | Ubuntu 20.04 LTS | 2 vCPU/4 GB RAM/100 Mbps |
| DE | Frankfurt, Germany | Ubuntu 20.04 LTS | 2 vCPU/4 GB RAM/100 Mbps |
| US | San Jose, CA, USA | Ubuntu 20.04 LTS | 2 vCPU/4 GB RAM/100 Mbps |
| SG | Singapore | Ubuntu 20.04 LTS | 2 vCPU/4 GB RAM/100 Mbps |
| Task Type | Countries | CIDR Blocks | Total IPs | Target Port(s) |
|---|---|---|---|---|
| Global | 18 | 1800 | 13,936,863 | TCP/80 |
| Regional | 5 | 500 | 2,689,122 | TCP/80 |
| Special-Block | 15 | 53 | 3,915,152 | TCP/80, 22, 53 |
| Task | VistaScan | Union-of- All | Centralized | Naive- Random | Partitioned- Random | Geo- Heuristic | ||||
|---|---|---|---|---|---|---|---|---|---|---|
| JP | BR | DE | US | SG | ||||||
| Global | 97.95% | 100.0% | 92.35% | 96.60% | 96.08% | 96.28% | 96.08% | 95.31% | 96.08% | - |
| Regional | 99.05% | 100.0% | 96.30% | 96.52% | 96.38% | 98.94% | 96.09% | 96.36% | 96.76% | 99.35% |
| Special-Block | 97.58% | 100.0% | 61.88% | 93.52% | 91.00% | 90.03% | 92.73% | 66.23% | 83.27% | - |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
Hu, L.; Shi, F.; Shen, Y.; Xu, C.; Xue, P.; Guo, B. VistaScan: Optimizing Internet-Wide Scanning Through Visibility-Aware Distributed Task Allocation. Sensors 2026, 26, 1458. https://doi.org/10.3390/s26051458
Hu L, Shi F, Shen Y, Xu C, Xue P, Guo B. VistaScan: Optimizing Internet-Wide Scanning Through Visibility-Aware Distributed Task Allocation. Sensors. 2026; 26(5):1458. https://doi.org/10.3390/s26051458
Chicago/Turabian StyleHu, Luolin, Fan Shi, Yi Shen, Chengxi Xu, Pengfei Xue, and Bingyang Guo. 2026. "VistaScan: Optimizing Internet-Wide Scanning Through Visibility-Aware Distributed Task Allocation" Sensors 26, no. 5: 1458. https://doi.org/10.3390/s26051458
APA StyleHu, L., Shi, F., Shen, Y., Xu, C., Xue, P., & Guo, B. (2026). VistaScan: Optimizing Internet-Wide Scanning Through Visibility-Aware Distributed Task Allocation. Sensors, 26(5), 1458. https://doi.org/10.3390/s26051458

