Connect a fresh, unpatched Windows server to the internet with a public IP address. Within five minutes, it will receive its first probe. Within fifteen minutes, automated bots will attempt brute-force logins. Within an hour, your machine will likely be conscripted into a botnet, all without any human attacker ever knowing you exist.
This is the reality of automated mass scanning attacks. Defenders often imagine being stalked by a sophisticated adversary. The truth is far more chaotic: you’re standing in a torrential rain of bullets fired by machines that don’t care who you are. Tools like ZMap and Masscan can scan all 4.3 billion IPv4 addresses in under 45 minutes. They aren’t looking for you specifically. They’re looking for anything that answers.
The goal of this guide is straightforward: understand how mass scanning works at a mechanical level, recognize the real-world damage it causes, and implement a technical blueprint to make your infrastructure invisible to automated reconnaissance.
How Mass Scanning Engines Find Their Targets
Modern internet scanning has become industrialized. What once required significant resources and weeks of patience now takes minutes and costs almost nothing.
Mass Scanning: The Digital Census
Technical Definition: Mass scanning is the automated process of sending high-speed connection requests (typically TCP SYN packets) to every possible IP address on the internet. The goal is to identify which hosts are online and which ports are accepting connections.
The Analogy: Picture a thief walking down an endless hotel corridor, methodically jiggling the handle of every single door. They don’t care who’s staying in room 4,217. They just want to know which doors are unlocked. That’s mass scanning. The scanner probes billions of “doors” looking for any that will open.
Under the Hood: Traditional scanners like Nmap are stateful: they track each connection attempt, waiting for responses. This is thorough but slow. Modern mass scanners like ZMap and Masscan are stateless, firing TCP SYN packets as fast as the network allows.
| Scanner | Architecture | Speed (Packets/Second) | Full IPv4 Scan Time | Use Case |
|---|---|---|---|---|
| Nmap | Stateful | ~1,000 | Weeks to months | Deep reconnaissance, service enumeration |
| ZMap | Stateless | 1.4 million | 44 minutes (1 Gbps) | Internet-wide research, vulnerability discovery |
| Masscan | Stateless | 10 million+ | Under 6 minutes | Aggressive reconnaissance, botnet building |
The stateless design fires packets without waiting for traditional three-way handshakes. A separate listener catches responses. ZMap uses cyclic multiplicative groups to iterate through IP addresses pseudorandomly, preventing accidental subnet concentration. A single machine with a 10-gigabit connection can complete an internet-wide scan in under five minutes.
Banner Grabbing: The Identification Phase
Technical Definition: Once a scanner identifies an open port, the next step is banner grabbing: reading the “welcome message” that many services automatically send to new connections. This reveals what software is running and, critically, what version.
The Analogy: The thief has found an unlocked door and pushed it open. Now they’re reading the nameplate on the desk to determine if this office belongs to someone worth robbing. A banner that reveals “Apache 2.4.49” tells the attacker exactly which vulnerabilities to try.
Under the Hood: Banner grabbing exploits how network protocols announce themselves. SSH servers send SSH-2.0-OpenSSH_8.2p1. HTTP servers include Server: headers revealing exact software versions.
| Service | Default Port | Typical Banner Content | Exploitation Value |
|---|---|---|---|
| SSH | 22 | OpenSSH version, protocol version | CVE database matching |
| HTTP | 80/443 | Web server software, version | Exploit kit targeting |
| FTP | 21 | Server software, sometimes OS hints | Legacy vulnerability exploitation |
| SMTP | 25 | Mail server version, hostname | Spam relay abuse, credential attacks |
| MySQL | 3306 | Version string, connection parameters | Database exploitation |
Attackers maintain automated pipelines correlating version strings against CVE databases. If your server broadcasts a version with known vulnerabilities, attacks begin within seconds.
Internet Background Radiation: The Noise Floor
Technical Definition: Internet background radiation refers to the constant, omnidirectional traffic that hits every public IP address regardless of whether it hosts any services. This includes misconfigured devices, legacy worms still propagating, researcher scans, and botnet recruitment attempts.
The Analogy: Think of static on an old AM radio. That hiss is always present: annoying, persistent, occasionally hiding real signals. Every public IP receives this digital static continuously.
Under the Hood: GreyNoise Intelligence operates nearly 4,000 sensors across 200+ countries, tracking background radiation in real-time. Their 2025 Mass Internet Exploitation Report documents relentless automation and rapid weaponization of new vulnerabilities.
| Metric | 2024 Finding | Implication |
|---|---|---|
| Exploitation speed | Within hours of CVE disclosure | Patching windows have collapsed |
| Legacy CVE targeting | 40% of exploited CVEs were 4+ years old | Old vulnerabilities never die |
| New vulnerability tags created | 573 tags covering 394 CVEs | Attack surface constantly expanding |
| Global sensor coverage | 4,000 sensors in 200+ countries | Comprehensive visibility into scanning patterns |
This background noise actively degrades your security posture. Every public IP receives several gigabytes of junk traffic annually.
The 2025-2026 Threat Landscape: What’s Changed
The mass scanning ecosystem continues evolving. Understanding current trends helps you anticipate where attackers focus their automated reconnaissance.
AI-Enhanced Scanning Operations
Threat actors integrate large language models into reconnaissance pipelines. While scanning mechanics remain identical, AI assists with banner analysis, vulnerability correlation, and exploit selection. GreyNoise observed patterns suggesting LLM-aided evasion techniques in cryptomining campaigns targeting PHP applications.
The IPv6 Reconnaissance Challenge
IPv6’s massive address space (340 undecillion addresses) makes traditional mass scanning impractical. However, attackers harvest IPv6 addresses from DNS records, certificate transparency logs, and HTTP headers. “Security through obscurity” assumptions are proving ineffective.
Coordinated Botnet Surges
GreyNoise tracked a late 2025 coordinated botnet operation involving over 100,000 unique IPs from more than 100 countries targeting U.S. RDP services. These synchronized campaigns overwhelm detection systems.
Pro-Tip: Configure your SIEM to correlate scanning activity across multiple ports. When the same source IP probes SSH, RDP, and VNC within a short window, it indicates automated reconnaissance rather than legitimate traffic.
The Victim’s Perspective: Real-World Pain Points
Mass scanning creates immediate operational problems for every organization with an internet presence.
Log File Bloat and Alert Fatigue
A single public SSH server receives thousands of daily authentication attempts. /var/log/auth.log fills with failed logins. Security teams face floods of alerts, most representing automated botnet traffic rather than targeted attacks. Signal-to-noise ratios deteriorate until genuine threats become invisible.
GreyNoise’s 2025 report documented over 40 million unique IPs engaged in mass scanning. These aren’t attackers—they’re compromised home routers, IoT cameras, and poorly secured servers unwittingly participating in reconnaissance campaigns.
Botnet Recruitment: From Victim to Accomplice
Within hours of exposing a vulnerable service, automated exploitation begins. Compromised systems become nodes in the botnet that attacked them, creating a self-reinforcing cycle.
The Mirai botnet demonstrated this model devastatingly in 2016, compromising over 600,000 IoT devices and launching DDoS attacks exceeding 1 Tbps. Mirai variants remain active today, continuously scanning for default credentials.
Ransomware Delivery: The Final Stage
Mass scanning serves as initial reconnaissance for ransomware operators. They scan for services with known vulnerabilities, particularly RDP servers and outdated VPN appliances. Successful compromises provide footholds for lateral movement and ransomware deployment.
The 2021 Kaseya VSA attack began with mass scanning for vulnerable management servers. Once breached, attackers deployed REvil ransomware to approximately 1,500 downstream businesses. Economic impact exceeded $70 million.
Defense Layer 1: Network Segmentation and Port Obfuscation
You cannot eliminate scanning traffic. Your goal is making infrastructure uninteresting to automated reconnaissance while maintaining operational capabilities.
Non-Standard Port Deployment
Technical Definition: Port obfuscation relocates services from default ports to high-numbered alternatives. This provides zero protection against targeted attackers running full port scans but eliminates the vast majority of automated attacks.
Under the Hood: Most botnet scanning targets default ports exclusively. Moving SSH from port 22 to port 49122 reduces brute-force attempts by 95-99%. Logs become dramatically cleaner, letting security teams focus on the remaining 1-5% representing misconfiguration or actual targeted reconnaissance.
| Service | Default Port | Recommended Alternative | Expected Traffic Reduction |
|---|---|---|---|
| SSH | 22 | 49122 (random high port) | 95-99% |
| RDP | 3389 | 51893 (random high port) | 90-95% |
| HTTP Admin | 8080 | 53728 (random high port) | 85-90% |
| Database | 3306/5432 | Behind firewall only | 100% |
Configuration Example (Ubuntu/Debian SSH):
# Edit SSH daemon configuration and change port
sudo nano /etc/ssh/sshd_config
Port 49122
# Restart and update firewall
sudo systemctl restart sshd
sudo ufw allow 49122/tcp
sudo ufw delete allow 22/tcpCritical Warning: Before disconnecting from your SSH session, verify you can connect via the new port in a second terminal.
Single Packet Authorization (SPA)
Technical Definition: SPA is a next-generation port knocking implementation where clients send a cryptographically signed packet to a server, which then dynamically opens firewall rules to allow that specific client IP address to connect. All ports remain completely closed to scanning traffic.
The Analogy: Imagine a bank vault that only becomes visible after you speak a secret passphrase. Until then, it appears to be a solid wall. That’s SPA: services are invisible until you authenticate.
Under the Hood: The fwknop implementation uses HMAC-based message authentication preventing replay attacks. Your client sends an encrypted authorization packet containing your IP, timestamp, and requested service. The server’s passive authorization daemon monitors for these packets. Upon validation, it uses iptables to create a temporary rule allowing your IP to access the specified port.
Implementation Example:
# Install fwknop
sudo apt install fwknop-server fwknop-client
# Generate keys
sudo fwknop --key-gen
# Configure server and start daemon
sudo systemctl enable fwknop-server
sudo systemctl start fwknop-server
# Client usage
fwknop -n your.server.com --access tcp/22 --key-base64 [key] --hmac-key-base64 [hmac]
ssh -p 22 your.server.comThe server’s firewall drops all SSH attempts by default. Only after receiving a valid SPA packet does it temporarily allow your IP. From a scanner’s perspective, port 22 appears completely closed.
Network Perimeter Hardening
Deploy strict egress filtering alongside ingress controls. If an attacker compromises a system, egress filtering limits command-and-control communication and data exfiltration.
| Firewall Rule Type | Purpose | Implementation |
|---|---|---|
| Default Deny Inbound | Block all unsolicited incoming connections | iptables -P INPUT DROP |
| Whitelist Ingress | Allow only specific, necessary services | iptables -A INPUT -p tcp --dport 49122 -j ACCEPT |
| Default Deny Outbound | Prevent compromised systems from phoning home | iptables -P OUTPUT DROP |
| Whitelist Egress | Allow only approved external connections | iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT |
Many organizations focus exclusively on inbound traffic while allowing unrestricted outbound connections. Compromised internal systems can then communicate with command-and-control servers, exfiltrate data, or participate in DDoS attacks.
Defense Layer 2: Active Deception and Intelligence
Beyond hiding infrastructure, you can actively track and classify scanning traffic to distinguish background noise from targeted reconnaissance.
Honeypot Deployment
Technical Definition: A honeypot is an intentionally vulnerable system deployed to attract and monitor attacker activity. It serves no legitimate production purpose; any connection attempt is, by definition, suspicious.
The Analogy: Police sometimes leave a bait car in high-crime areas: an unlocked vehicle with keys in the ignition. Anyone who tries stealing it is immediately identified as criminal. A honeypot works identically.
Under the Hood: Low-interaction honeypots like cowrie emulate vulnerable SSH and Telnet services, logging connection attempts, commands executed, and malware downloaded. They consume minimal resources while generating high-value intelligence.
Quick Cowrie Honeypot Setup:
# Install and clone
sudo apt install python3-virtualenv git
git clone https://github.com/cowrie/cowrie.git
cd cowrie
# Setup environment
virtualenv cowrie-env
source cowrie-env/bin/activate
pip install -r requirements.txt
# Configure and start
cp etc/cowrie.cfg.dist etc/cowrie.cfg
bin/cowrie start
# Forward port 22 to honeypot
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222Within hours, you’ll observe brute-force attempts with credential lists from data breaches. You’ll see attackers downloading cryptocurrency miners, DDoS tools, and reconnaissance scripts. This intelligence reveals real-world attack patterns.
Threat Intelligence Integration: GreyNoise
Technical Definition: GreyNoise is a threat intelligence platform cataloging IPs engaged in mass internet scanning. Integration automatically classifies and suppresses alerts from known scanner traffic, dramatically improving SIEM signal-to-noise ratios.
Under the Hood: GreyNoise’s API provides real-time classifications: is this IP a known scanner, a benign researcher like Shodan, or unclassified (potentially a targeted attack)? Their 2025 report tracked over 6,000 unique actor tags.
Integration Example (Python):
import requests
def check_greynoise(ip_address):
response = requests.get(
f"https://api.greynoise.io/v3/community/{ip_address}",
headers={"key": "your_api_key"}
)
data = response.json()
if data.get("noise"):
return "Known scanner - suppress alert"
elif data.get("riot"):
return "Benign service - suppress"
else:
return "Unknown - investigate immediately"This script queries GreyNoise for each SIEM alert. Known mass scanners get automatically suppressed. Unclassified IPs escalate for human investigation.
Community-Based Blocking: CrowdSec
Technical Definition: CrowdSec is a collaborative security engine where users share threat intelligence about IPs actively attacking their infrastructure. When your server detects malicious behavior, it reports the offending IP. Other users automatically block that IP, creating a distributed immune system.
The Analogy: If a pickpocket operates in a city where every victim immediately texts a description to everyone else, that criminal can’t victimize anyone twice. CrowdSec works the same way: once an IP attacks anyone in the network, everyone blocks it.
Under the Hood: CrowdSec analyzes server logs, detecting patterns like brute-force attempts, port scans, and web attacks. When it identifies malicious behavior, it adds the offending IP to a local blocklist and reports it to the community database. Your server automatically downloads blocklists contributed by other users.
Installation and Configuration:
# Install CrowdSec and firewall bouncer
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec crowdsec-firewall-bouncer-iptables
# Install collections for common services
sudo cscli collections install crowdsecurity/linux crowdsecurity/sshd crowdsecurity/nginx
# Enroll in community blocklist
sudo cscli console enroll [your_enrollment_key]
# View current blocks
sudo cscli decisions listCrowdSec’s distributed approach means you benefit from attacks against other organizations. An IP conducting brute-force attacks elsewhere gets blocked on your infrastructure before reaching you.
Defense Layer 3: Cloud-Based Filtering and CDN Protection
For public-facing services that must remain accessible, cloud providers offer infrastructure-scale filtering individual organizations cannot match.
Cloudflare DDoS Protection
Technical Definition: Cloudflare operates a globally distributed network handling over 46 million HTTP requests per second. When you proxy services through Cloudflare, scanning traffic hits their infrastructure first. Their edge network filters malicious requests before they reach your origin server.
Under the Hood: Cloudflare’s network spans over 330 cities worldwide. Each data center maintains real-time threat intelligence about scanning campaigns and attack patterns. When mass scanning targets your domain, Cloudflare absorbs traffic at the edge, presenting CAPTCHAs to suspicious sources while allowing legitimate traffic through.
| Protection Layer | Mechanism | Benefit |
|---|---|---|
| IP Reputation | Block known malicious IPs at edge | Prevent scanning bots from ever reaching origin |
| Rate Limiting | Throttle aggressive scanning | Protect against reconnaissance and brute-force |
| WAF Rules | Filter exploit attempts | Stop automated exploitation of web vulnerabilities |
| Challenge Pages | Present CAPTCHA to suspicious traffic | Distinguish bots from legitimate users |
Your origin server’s actual IP address remains hidden. Attackers scanning the IP space discover only Cloudflare’s infrastructure, not your vulnerable servers.
AWS Shield and Network Firewall
AWS Shield Standard provides automatic DDoS protection for all AWS customers at no additional cost. Shield Advanced offers enhanced protection with attack forensics and cost guarantees.
AWS Network Firewall deploys stateful firewall rules at VPC boundaries, filtering traffic before it reaches individual instances:
This configuration blocks all inbound RDP traffic at the network perimeter, preventing scanning bots from reaching your EC2 instances.
Operational Intelligence: Know What You Look Like
You need continuous external visibility into your attack surface. What do scanning bots see when they probe your infrastructure?
Shodan Reconnaissance
Technical Definition: Shodan is a search engine for internet-connected devices. Unlike Google, which indexes web content, Shodan indexes services themselves: banners, certificates, and metadata exposed by every public IP.
Under the Hood: Shodan continuously scans the entire IPv4 space, cataloging every open port and service banner. You can search your organization’s IP ranges to see exactly what attackers see.
Critical Queries for Your Infrastructure:
net:203.0.113.0/24 # All services in your IP range
product:MySQL net:203.0.113.0/24 # Exposed databases
apache 2.4.49 org:"Your Organization" # Outdated web servers
"default password" net:203.0.113.0/24 # Default credentialsIf Shodan returns exposed databases, administrative interfaces, or outdated software, attackers see the exact same results. Shodan merely makes visible what already exists in the public scanning ecosystem.
Pro-Tip: Set up Shodan Monitor alerts for your IP ranges. You’ll receive notifications whenever Shodan discovers new services, catching Shadow IT deployments before attackers do.
Internal Visibility Commands
# Find services listening on public interfaces
ss -tulpn | grep -v "127.0.0.1" | grep LISTEN
# Check for exposed databases
netstat -an | grep -E ":(3306|5432|27017|6379|9200)" | grep LISTEN
# Audit overly permissive firewall rules
sudo iptables -L -n -v | grep -E "ACCEPT.*0.0.0.0/0"Network flow monitoring reveals communication patterns indicating compromise. Servers connecting to unusual destinations, especially IRC ports or known command-and-control infrastructure, warrant immediate investigation.
Workflow Optimization: Solving Common Pain Points
| Problem | Root Cause | The Fix |
|---|---|---|
| Server sluggishness during scan waves | High volume of SYN packets consuming connection table | Configure firewall to drop invalid packets at the kernel level using SYN cookies |
| Log storage filling rapidly | Brute-force bots generating thousands of entries | Switch to SSH key-only authentication; disable password auth entirely |
| Shadow IT data exposure | Developer test databases indexed by Shodan | Deploy automated asset discovery scripts checking for services on 0.0.0.0 |
| Alert fatigue from scanning noise | Too many events requiring human review | Integrate GreyNoise to automatically classify and suppress known scanner traffic |
Legal Boundaries and Ethical Considerations
Port scanning is generally legal in most jurisdictions. It’s analogous to knocking on someone’s door. Checking whether a service is present doesn’t constitute unauthorized access. However, some ISPs prohibit scanning in their terms of service.
Do not retaliate. Most scanning IPs are compromised devices: home routers and IoT cameras whose owners don’t know they’re participating in attacks. Attacking those IPs makes you the criminal.
Research scanning requires disclosure. If you operate legitimate security research scans, register a domain with a clear opt-out mechanism, provide abuse contact information, and respond promptly to complaints.
Conclusion: Silence Is Security
You cannot stop automated mass scanning attacks. They are a fundamental characteristic of the modern internet, as inevitable as weather. Every public IP will receive probe traffic continuously, forever.
The strategic objective isn’t fighting every packet. It’s making infrastructure invisible to automated reconnaissance while preserving your ability to detect and respond to targeted attacks. Relocate services to non-default ports. Implement SPA or port knocking. Deploy community-based threat intelligence. Use cloud providers as your frontline filter.
When scanning bots sweep across the IPv4 address space (all 4.3 billion addresses in six minutes), they should find nothing at your location. No open ports. No service banners. No indication that anything valuable exists at your IP range. You become dark, indistinguishable from empty addresses around you.
Take action today: Go to Shodan.io. Enter your organization’s IP addresses. If you see exposed services, the scanning bots saw those same results weeks ago. Close the ports. Disappear from the census.
Frequently Asked Questions (FAQ)
Is it illegal to scan the entire internet?
Port scanning itself is generally legal in most jurisdictions because it’s like checking if a door is locked rather than opening it. However, exploiting vulnerabilities crosses into unauthorized access. Some ISPs prohibit scanning in their acceptable use policies, and aggressive scanning can trigger civil liability if it disrupts services.
How quickly can modern tools scan all IPv4 addresses?
Using Masscan on a 10-gigabit connection, the entire IPv4 address space (approximately 4.3 billion addresses) can theoretically be scanned in under 6 minutes. Practical speeds are typically 45-60 minutes to avoid triggering upstream network congestion.
Does changing my SSH port actually improve security?
Yes, but not against targeted attackers. Moving SSH from port 22 to a high random port provides zero protection against someone who runs a full port scan. However, it eliminates 95-99% of automated brute-force attempts from bots that only probe default ports. The real benefit is operational: dramatically cleaner logs and improved ability to detect actual targeted attacks.
What distinguishes Shodan from a malicious botnet?
Shodan is a search engine for security researchers that scans politely, respects opt-out requests, and provides legitimate defensive value. Botnets like Mirai scan aggressively to compromise devices, install malware, and launch DDoS attacks.
What exactly is internet background radiation?
Internet background radiation is the constant stream of unsolicited network traffic that hits every public IP address. This includes probes from academic researchers, commercial scanners like Shodan and Censys, legacy worms still propagating, and botnets recruiting new members.
How do I know if I’m being targeted versus randomly scanned?
Compare the scanning IP against threat intelligence databases like GreyNoise. If the IP is hitting thousands of other organizations simultaneously, it’s automated mass scanning. If the IP appears only in your logs and isn’t part of known scanning campaigns, investigate further.
Sources & Further Reading
- SANS Internet Storm Center (https://isc.sans.edu) – Daily metrics on internet-wide threat activity
- CISA: Reducing Attack Surface (https://www.cisa.gov/shields-up) – Federal guidance on minimizing discoverability
- GreyNoise Intelligence (https://www.greynoise.io) – Real-time data on internet background noise
- GreyNoise 2025 Mass Internet Exploitation Report (https://www.greynoise.io/resources) – Annual analysis of mass exploitation trends
- MITRE ATT&CK T1595: Active Scanning (https://attack.mitre.org/techniques/T1595) – Technical framework for reconnaissance techniques
- ZMap Project (https://zmap.io) – Academic research on internet-wide scanning methodology
- Masscan GitHub Repository (https://github.com/robertdavidgraham/masscan) – High-speed port scanner documentation
- Shodan.io (https://www.shodan.io) – Search engine for internet-connected devices
- fwknop Project (https://www.cipherdyne.org/fwknop) – Single Packet Authorization implementation guide
- CrowdSec (https://www.crowdsec.net) – Collaborative threat intelligence platform
