The behavioral mechanisms of IPv6 scanners in dynamic network environments—particularly during BGP prefix changes—remain poorly understood; “silent subnets” within large prefixes exhibit low detectability, whereas newly announced prefixes trigger rapid scanning, indicating high sensitivity to routing signals. Method: We conducted an 11-month large-scale measurement using four distributed IPv6 network telescopes, integrating BGP route reconfiguration experiments, passive traffic monitoring, scanner fingerprinting, and cross-category behavioral correlation analysis. Contribution/Results: This work provides the first systematic characterization of IPv6 scanners’ temporal periodicity, target selection preferences (e.g., prefix-granularity dependence), network adaptation strategies, and tool-specific fingerprint features. We observe minute-scale latency in scanner responses to BGP announcements and identify critical limitations in current telescope coverage. Based on these findings, we propose practical recommendations to enhance IPv6 scanning visibility—specifically, improving telescope deployment coverage and prefix diversity.

Scanners are daily visitors of public IPv4 hosts. Scanning IPv6 nodes successfully is still a challenge, which an increasing crowd of actors tries to master. In this paper, we analyze current IPv6 scanning under various network conditions. We observe scanner behavior during eleven months in four network telescopes, one of which is periodically reconfigured by changing BGP announcements. We analyze and classify the observed scanners w.r.t. their temporal behavior, their target, and network selection strategy, as well as their individual tools, fingerprints, and correlations across categories. We find that silent subnets of larger prefixes remain invisible, whereas BGP prefix announcements quickly attract attention by scanners. Based on our findings, we derive operational guidance on how to deploy network telescopes to increase visibility of IPv6 scanners.