XMap: Fast Internet-wide IPv4 and IPv6 Network Scanner

XMap is an open-source network scanner designed for performing fast Internet-wide IPv4 and IPv6 network research scanning. XMap was initially developed as the research artifact of a paper published at 2021 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN ‘21) and then made available on GitHub. XMap is the first tool to support fast Internet-wide IPv6 network scanning in 2020. During the last five years, XMap has made substantial impact in academia, industry, and government. It has been referenced in 52 research papers (15 published at top-tier security venues and 11 in leading networking societies), received over 450 GitHub stars, featured in multiple news outlets, and deployed or recommended by international companies up to date. Additionally, XMap has contributed to the implementation of RFC documents and the discovery of various vulnerabilities. This paper provides fundamental details about XMap, its architecture, and its impact.

💡 Research Summary

XMap is an open‑source network scanner that extends the high‑speed capabilities of ZMap to both IPv4 and IPv6 address spaces, enabling full‑internet probing in a matter of minutes. The paper introduces the motivation behind IPv6 scanning—massive 128‑bit address space, growing deployment, and the inadequacy of existing tools—and presents XMap as the first scanner to support rapid, exhaustive IPv6 probing.
The architecture consists of six loosely coupled modules: system initialization, target space processing, address randomization generation, protocol scanning, packet sending/receiving, and result output. The address randomization module converts IPv4/IPv6 addresses into large integers using GMP and applies a permutation‑multiplication algorithm to produce a full‑coverage, uniformly distributed address sequence. This mitigates target overload and ensures unbiased sampling.
XMap employs asynchronous decoupling of packet transmission and reception, leveraging PF_RING (or equivalent high‑performance capture interfaces) to achieve line‑rate operation on 10 GbE links. It supports multiple probing modules—ICMP Echo, TCP SYN, UDP, and advanced DNS (including spoofed, stateful, and version‑fingerprinting scans)—and allows parallel probing of many ports. Users can define custom address ranges by combining a fixed prefix, a randomization segment, and a user‑defined identifier, making it possible to scan arbitrary IPv4 or IPv6 sub‑nets (e.g., 2001:db8::/32‑/64).
Performance experiments show that XMap can scan the entire 32‑bit IPv4 space in under 45 minutes and, with a 10 GbE interface and PF_RING, complete a full IPv4 or IPv6 scan in less than five minutes. The tool has been cited in 52 academic papers (including 15 in top security venues such as USENIX Security, IEEE S&P, and NDSS), contributed to RFC development, and been adopted by industry and government. The GitHub repository has over 450 stars, 74 forks, and a Docker image with nearly 600 downloads.
The authors emphasize XMap’s modularity, extensibility, and open‑source nature, noting ongoing maintenance (hundreds of commits, multiple releases) and future directions such as automated scan policy generation, mitigation of detection evasion, and extensions for cloud and IoT environments. Overall, XMap establishes a new baseline for fast, comprehensive Internet‑wide network measurement and security research across both IP versions.