ZBanner: Fast Stateless Scanning Capable of Obtaining Responses over TCP

TL;DR

ZBanner is a novel stateless TCP scanner that significantly improves scan speed and reduces memory usage by simplifying TCP state management, enabling faster and more efficient large-scale network measurements.

Contribution

The paper introduces a new stateless scanning model that can establish TCP connections and gather responses without maintaining connection state, enhancing existing network scanning techniques.

Findings

ZBanner is at least three times faster than existing tools for generic ports.

It achieves over 90 times speedup for open ports.

ZBanner maintains minimal and stable memory usage during scans.

Abstract

Fast large-scale network scanning is an important way to understand internet service configurations and security in real time, among which stateless scan is representative. Existing stateless scanners can perform single-packet scans for internet-wide network measurements but are limited to host discovery or port scanning. To obtain further information over TCP, slower stateful scanners must be used in conjunction which spend more time and memory because of connection state maintenance. Through simplifying TCP finite state machine, this paper proposes a novel stateless scanning model, which can establish TCP connections and obtain further responses in a completely stateless manner. Based on this model, we implement ZBanner, an improved modular stateless scanner that utilizes user-defined probes for identifying services and versions, fingerprinting TLS servers, etc. We present unique design of ZBanner and experimentally characterize its feasibility and performance. Experiments show that ZBanner performs better than current state-of-the-art solutions in terms of scan rate and memory usage. ZBanner achieves at least three times faster than current tools for generic ports and over 90 times faster for open ports while keeping a minimum and stable memory usage.