MITRE ATT&CK , Reconnaissance , T1595.001

Scanning IP Blocks

Adversaries systematically scan entire IP ranges allocated to target organizations, probing every address to discover active hosts, open services, and network architecture — building a complete map before striking.

ip_block_scanner v3.7.2 , live simulation

Target: 203.0.113.0/24

Method: SYN Scan

Ports: 22, 80, 443, 3389

● SCANNING

203.0.113.0/24 Row-scan sweep — 6 rows × 8 columns

.10

.11

.12

.13

.14

.15

.16

.17

.18

.19

.20

.21

.22

.23

.24

.25

.26

.27

.28

.29

.30

.31

.32

.33

.34

.35

.36

.37

.38

.39

.40

.41

.42

.43

.44

.45

.46

.47

.48

▲ Attacker 198.51.100.1

■ Target 203.0.113.0/24

IPs Scanned

2048 / 256

Hosts Discovered

Open Ports Found

◆ Intelligence Brief

Why IP Block Scanning Matters

Understanding the scale and impact of systematic IP reconnaissance in today's threat landscape.

2,200+

Cyberattacks occur daily worldwide, with IP reconnaissance serving as the initial phase for a significant portion of these incursions. Source: deepstrike.io

~70%

Surge in Russian cyberattacks on Ukraine in 2024, with 4,315 incidents targeting critical infrastructure. IP block scanning enabled target discovery at scale. Source: csis.org

1000s

Thousands of IPs observed conducting widespread internet scanning according to GreyNoise's 2025 Mass Internet Exploitation Report, demonstrating how attackers scale operations. Source: greynoise.io

<6 min

Time required to scan the entire IPv4 internet with tools like Masscan. Adversaries can enumerate every publicly accessible service globally in minutes, not hours.

The Reality of IP Block Scanning

Scanning IP Blocks is one of the most fundamental and pervasive techniques in the adversary playbook. Adversaries systematically scan entire IP ranges allocated to organizations by Regional Internet Registries (RIRs) such as ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC. Because public IP addresses are allocated in contiguous blocks, attackers can efficiently target every address within an organization's assigned range, discovering which hosts are live, what services are exposed, and how the network topology is structured. This reconnaissance phase provides the critical intelligence needed for subsequent exploitation, lateral movement, and data exfiltration operations.

The technique is particularly dangerous because it operates at scale. Modern scanning tools can probe millions of IP addresses per second, and the entire IPv4 address space can be mapped in under six minutes using Masscan. Organizations that fail to monitor for scanning activity against their IP blocks are effectively operating blind, leaving their external attack surface wide open to discovery by threat actors ranging from opportunistic script kiddies to sophisticated nation-state groups. According to the CISA Federal Government Cybersecurity Incident Response Playbooks, proactive monitoring and rapid detection of reconnaissance activities are essential components of a robust defensive posture.

◆ Foundations

Key Terms & Concepts

Core terminology and intuitive explanations to understand IP block scanning at every level.

◈ Simple Definition

Scanning IP Blocks is a reconnaissance technique where adversaries methodically probe entire ranges of IP addresses allocated to a target organization by Regional Internet Registries (RIRs) like ARIN (American Registry for Internet Numbers), RIPE NCC (Europe, Middle East, Central Asia), APNIC (Asia-Pacific), and others. The attacker sends crafted packets (typically ICMP echo requests, TCP SYN probes, or UDP datagrams) to each IP address within the allocated block to determine which addresses are actively responding. For each live host discovered, they further enumerate open ports, running services, software versions, and operating system fingerprints. This comprehensive mapping reveals the organization's external attack surface, identifies vulnerable services, and informs the attacker's strategy for subsequent exploitation stages. The technique leverages the fact that IP allocations are public information, obtainable through WHOIS databases and BGP routing tables, making target identification straightforward.

★ Everyday Analogy

Think of it like a robber driving down every single street in a neighborhood, methodically taking note of which houses have lights on, what kind of security system signs are posted in the front yard, whether doors or windows appear accessible, and what types of vehicles are parked in the driveways. They're not breaking in yet — they're creating a complete, detailed map of the entire neighborhood before choosing which specific houses to target. In cybersecurity terms, the "neighborhood" is your organization's public IP block, the "houses with lights on" are your active hosts, the "security system signs" are your visible security controls, and the "accessible doors and windows" are your exposed services and open ports. Just as a burglar can quietly surveil dozens of properties in a single evening, an automated scanner can probe thousands of IP addresses in seconds, building an intelligence dossier that guides every subsequent attack decision.

◆ Case Study

Real-World Scenario

How IP block scanning led to a devastating breach — and how one team fought back.

☆ Marcus Rivera , SOC Team Lead, FinServ Global

⚠ Before , The Breach

A Silent Invasion Through Unmonitored IP Space

FinServ Global, a mid-sized financial services firm managing assets for over 45,000 clients, operated a block of 256 public IP addresses across their corporate headquarters and two data center locations. Despite handling sensitive financial data subject to regulatory compliance requirements, the organization had no dedicated monitoring for scanning activity against their public IP ranges. Their border firewall logged connection attempts, but nobody was reviewing the logs, and no automated alerting was configured for reconnaissance patterns.

Over the course of approximately two weeks, a sophisticated nation-state-linked threat group (attributed to APT29) systematically scanned FinServ's entire public IP block using a distributed network of compromised hosts across multiple countries. The scanning was deliberately slow and randomized to avoid triggering rate-based detection mechanisms — probing only a handful of IPs per hour from different source addresses. By the end of the reconnaissance phase, the attackers had built a comprehensive map of FinServ's external infrastructure, identifying an exposed Remote Desktop Protocol (RDP) server on port 3389 that was accessible without VPN protection.

The attackers exploited a then-unpatched BlueKeep vulnerability (CVE-2019-0708) on the exposed RDP server to gain initial access, then moved laterally through the internal network using harvested credentials from a poorly secured domain controller. Within 72 hours of the initial compromise, the attackers had exfiltrated customer financial records, Social Security numbers, account balances, and transaction histories for all 45,000 clients. The breach resulted in $12.7 million in direct costs, $28 million in regulatory fines, and an incalculable loss of customer trust that took years to rebuild.

✓ After , The Transformation

Building a Proactive Defense with IP Block Monitoring

Following the breach, Marcus Rivera, who had recently been promoted to SOC Team Lead, spearheaded a comprehensive overhaul of FinServ's external monitoring capabilities. He implemented a multi-layered defense strategy specifically designed to detect and respond to IP block scanning activity. First, he deployed GreyNoise integration across all border firewall and IDS sensors, enabling the SOC to distinguish between targeted scanning against FinServ's IPs and background internet noise. This dramatically reduced alert fatigue while ensuring genuine reconnaissance attempts were flagged immediately.

Marcus then implemented port knocking sequences on all critical services including RDP, SSH, and database management interfaces, ensuring these services were invisible to automated scanners. He deployed geo-blocking rules restricting administrative access to known geographic locations and implemented strict rate limiting — allowing no more than 3 connection attempts per minute from any single IP address on non-standard ports. He also established a darknet monitoring capability by placing passive sensors on 16 previously unused IP addresses within FinServ's allocation, ensuring that any probe against these "dark" addresses would generate an immediate alert since legitimate traffic should never target them.

Within six months of implementation, FinServ's SOC was detecting 99% of IP block scanning activity within the first 100 probes against their network. They blocked over 14,000 unique scanning IPs and prevented multiple attempted intrusions, including one attributed to the same APT group that had breached them previously. Marcus's approach became a model for the broader financial services industry and was featured in multiple industry conferences as a best-practice case study for external attack surface management.

◆ Action Plan

Step-by-Step Protection Guide

Seven actionable steps to defend your organization against IP block scanning.

1. Inventory All Public IP Assets
- Conduct a comprehensive audit of all public IP addresses assigned to your organization through WHOIS lookups, RIR portals (ARIN, RIPE NCC, APNIC), and BGP routing table analysis. Many organizations have "orphaned" IP ranges they've forgotten about, which become unmonitored entry points for attackers.
- Map each public IP to its responsible business unit, geographic location, and purpose (web server, mail server, VPN concentrator, etc.). Maintain this inventory in a Configuration Management Database (CMDB) and review it quarterly to catch allocation changes.
- Use cloud provider APIs (AWS, Azure, GCP) to automatically discover and track all cloud-assigned public IP addresses including elastic IPs, load balancer frontends, and ephemeral addresses that may be created and destroyed dynamically.
2. Implement Network Address Translation (NAT) Properly
- Minimize the number of publicly routable IP addresses by implementing outbound NAT for all internal systems that don't require direct public accessibility. This reduces your visible attack surface and ensures only intentionally exposed services are reachable from the internet.
- Deploy NAT gateway logging to monitor all outbound connections, enabling detection of compromised internal hosts attempting to communicate with known malicious IPs or unusual destinations that may indicate data exfiltration.
3. Deploy Darknet/Dark IP Monitoring
- Allocate unused IP addresses within your public ranges as "darknets" — addresses that should never receive legitimate traffic. Place passive sensors on these addresses so that any incoming connection attempt (scan, probe, or misconfiguration) generates an immediate, high-priority alert.
- Integrate darknet telemetry with your SIEM and correlate alerts with threat intelligence feeds. Scanning activity against dark IP space is almost always malicious and provides early warning of reconnaissance targeting your organization.
- Consider using dedicated darknet monitoring services like Team Cymru's Darknet, or set up your own using tools like a passive network sensor running on a system with no active services listening on the monitored addresses.
4. Configure Border Router Protections
- Implement rate limiting and connection throttling on border routers and firewalls to slow down scanning activity. Configure ACLs to drop packets from known-bogon IP ranges, unallocated address space, and IP addresses with no legitimate business need to contact your infrastructure.
- Enable TCP SYN cookies and implement SYN flood protection to mitigate scanning tools that use raw SYN packets. Configure ingress filtering (BCP38/RFC 2827) to prevent IP spoofing and ensure packets arriving at your network genuinely originate from their claimed source addresses.
5. Use Threat Intelligence for IP Reputation
- Integrate commercial and open-source threat intelligence feeds (GreyNoise, VirusTotal, AlienVault OTX, AbuseIPDB) into your border firewalls and IDS/IPS systems to automatically block or flag IP addresses known for scanning activity, botnet participation, or prior malicious behavior.
- Subscribe to your RIR's announcement mailing lists to receive notifications about changes to your IP allocations and ensure your monitoring covers all assigned space. Participate in industry information sharing organizations (ISACs) to receive sector-specific threat intelligence about active scanning campaigns.
6. Implement Port Knocking on Critical Services
- Deploy port knocking sequences on administrative interfaces (SSH, RDP, database management ports) so these services are completely invisible to automated scanners. The service only opens after a client sends the correct sequence of connection attempts to predefined "knock" ports in the right order.
- Combine port knocking with IP whitelisting and MFA for defense-in-depth. Ensure that even if the knock sequence is discovered, access still requires authentication from an approved source IP address and multi-factor verification.
7. Regular External Attack Surface Assessments
- Conduct periodic external penetration tests and attack surface assessments to view your infrastructure from the attacker's perspective. Use the same tools adversaries use (Nmap, Masscan, Shodan, Censys) against your own IP ranges to discover exposed services before malicious actors do.
- Automate continuous external attack surface monitoring using platforms like Rapid7 InsightVM, CrowdStrike Falcon Surface, or CyCognito that continuously scan your public IP ranges and alert on new exposures, certificate changes, and shadow IT discoveries.
- Establish a remediation SLA for newly discovered exposures based on risk severity: critical vulnerabilities within 24 hours, high within 72 hours, medium within 2 weeks, and low within 30 days. Track and report on remediation metrics to leadership.

◆ Knowledge Check

Common Mistakes & Best Practices

Avoid these pitfalls and adopt proven defensive strategies.

⚠ Common Mistakes

Assuming unused IPs don't need monitoring. Dark IP addresses within your allocation are valuable canaries. Without sensors on unused space, attackers can scan your entire range without generating a single alert, and you'll have zero visibility into reconnaissance targeting your organization.
Not implementing proper firewall rules on border devices. Many organizations rely solely on host-based firewalls or cloud security groups while neglecting perimeter-level filtering. This leaves the network vulnerable to scans that bypass individual host protections and allows attackers to map the entire network topology.
Ignoring IPv6 scanning threats. As organizations adopt IPv6, the address space becomes so vast that traditional scanning is impractical, but attackers have adapted using techniques like BGP table analysis, DNS enumeration, and targeted scanning of known-allocation prefixes. Failing to apply equivalent monitoring to IPv6 ranges creates a blind spot.
Failing to use cloud access security brokers (CASBs). Cloud environments often introduce new public IP addresses through load balancers, CDN origins, and serverless functions. Without a CASB or cloud security posture management (CSPM) tool, these dynamically allocated addresses go unmonitored.
Not segmenting public-facing and internal IP ranges. Flat network architectures where public-facing services share the same subnet as internal systems mean a compromised externally-facing host provides direct network-level access to sensitive internal resources, eliminating the need for complex lateral movement.

✓ Best Practices

Deploy darknet monitoring on unused IP space. Assign at least 10% of your public IP allocation as monitored darknet addresses. Any traffic to these addresses is inherently suspicious and should trigger immediate investigation, providing an early warning system for reconnaissance activity.
Implement rate limiting per IP on public services. Configure web servers, mail servers, and other public-facing services to limit connection rates from individual source IP addresses. This slows down scanning tools, increases the time required to complete reconnaissance, and improves detection opportunities.
Use reputation-based IP blocking with threat intelligence. Integrate threat intelligence feeds into your perimeter defenses to automatically block IP addresses with poor reputations. Services like GreyNoise, Spamhaus DROP lists, and commercial TI platforms can eliminate a significant percentage of scanning traffic before it reaches your infrastructure.
Regularly audit public IP assignments. Conduct monthly reviews of all public IP addresses assigned to your organization, including cloud environments, CDN configurations, and DNS records. Decommission unused addresses and ensure all active addresses have documented owners and purposes.
Implement defense-in-depth at the network perimeter. Layer multiple security controls including border firewalls, IDS/IPS, web application firewalls (WAFs), DDoS mitigation services, and geo-blocking. No single control is sufficient; the goal is to increase the cost and complexity of reconnaissance beyond what most adversaries are willing to invest.

◆ Tactical View

Red Team vs Blue Team View

Understanding both sides of IP block scanning — offense and defense.

⚔ Red Team , Attacker Perspective

Red team operators and real-world adversaries approach IP block scanning as the critical first phase of any operation. They begin by identifying the target organization's public IP allocations through WHOIS queries against RIR databases, BGP routing table analysis using tools like BGPStream, and passive DNS reconnaissance. Once the target ranges are identified, they deploy high-speed scanning tools optimized for different objectives.

Masscan is the weapon of choice for rapid port discovery, capable of scanning the entire IPv4 internet in under six minutes at maximum speed. For more detailed service enumeration, Nmap provides comprehensive fingerprinting including operating system detection, service version identification, and scriptable vulnerability checks. ZMap offers another high-performance alternative optimized for network-wide scanning with built-in support for application-layer probes. Advanced adversaries use distributed scanning architectures to avoid single-source IP rate blocking, and they randomize scan timing to evade pattern-based detection. The intelligence gathered — live hosts, open ports, service versions, and network topology — directly informs which exploitation techniques to employ against each discovered target.

Masscan ZMap Nmap Shodan Censys Amass Fierce rustscan

☍ Blue Team , Defender Perspective

Blue team defenders must build a comprehensive, layered detection and response capability specifically designed to identify IP block scanning activity against their organization's infrastructure. The defensive strategy begins with darknet sensors deployed on unused IP addresses within the organization's allocation, providing a tripwire that alerts on any probe against space that should receive zero legitimate traffic.

Network defenders deploy IDS/IPS systems (Snort, Suricata, Zeek) at network borders configured with rules to detect scanning patterns including sequential IP probing, unusual port combinations, and SYN scan signatures. They implement BGP hijacking detection to ensure their IP prefixes aren't being announced by unauthorized ASNs. Threat intelligence platforms like GreyNoise, MISP, and Anomali correlate scanning activity with known adversary infrastructure, providing context for alerts and enabling proactive blocking. Cloud-based WAFs and CDN services (Cloudflare, AWS Shield, Akamai) absorb and analyze scanning traffic before it reaches origin servers, reducing the load on defensive infrastructure. The key principle is reducing dwell time — the faster scanning activity is detected and the source is blocked, the less intelligence the attacker gathers and the more likely they are to move to an easier target.

Zeek/Bro Suricata Snort GreyNoise CrowdStrike Splunk Elastic SIEM Cloudflare

◆ Hunter's Perspective

Threat Hunter's Eye

How to think like a hunter analyzing IP block scanning activity.

👁 Understanding the Adversary's Scanning Strategy

As a threat hunter investigating potential IP block scanning against your organization, the first question to ask is not "are we being scanned?" (because the answer is almost certainly yes) but rather "who is scanning us and why?" Every organization with public IP addresses is constantly being probed by automated scanners, research crawlers, and botnets. The threat hunter's job is to distinguish between opportunistic background noise and targeted reconnaissance that precedes a genuine attack.

Look for patterns that indicate deliberate targeting rather than random internet scanning. A single source IP scanning sequential addresses within your range is more suspicious than random probes from distributed sources. Scanning that targets specific ports associated with known vulnerabilities in your industry (RDP for financial services, MQTT for IoT manufacturers, or SMB for enterprise environments) suggests the attacker knows something about your organization. Pay attention to the tempo of scanning: adversaries conducting targeted reconnaissance often use slow, deliberate scanning patterns (sometimes called "low and slow") specifically designed to stay below detection thresholds, probing only a few addresses per hour over days or weeks. If you see the same scanning pattern repeat on a regular schedule, this may indicate automated persistence checking — the attacker is periodically re-scanning to detect new services or configuration changes.

Cross-reference scanning source IPs against threat intelligence feeds and historical data. Have these IPs been associated with previous incidents? Do they belong to ASNs in countries where your organization has no business relationships? Are they using Tor exit nodes, VPN providers, or known bulletproof hosting services? The combination of pattern analysis, behavioral context, and threat intelligence correlation transforms raw scan data into actionable hunting hypotheses. When you identify a likely targeted scan, document your findings with a clear timeline, the scope of IPs probed, ports targeted, and the attribution hypothesis. This intelligence drives proactive blocking, informs defensive priority adjustments, and contributes to the organization's overall threat model.

Join the Conversation

Have questions about IP block scanning defense strategies? Want to share your experience implementing darknet monitoring or discuss the latest adversary scanning techniques? We'd love to hear from security professionals, SOC analysts, and threat hunters.

Drop your thoughts in the comments below — whether it's a question about implementation, a war story from your SOC, or a debate about the best tools for external attack surface management. The community is stronger when we share knowledge.

▲ Back to Simulation T1595 Overview → T1595.002 → T1595.003 →