This study addresses the dynamic nature and traceability challenges of IPv6 scanning in operational ISP networks. We conduct the first large-scale empirical investigation by deploying an active IPv6 telescope integrated with passive traffic monitoring, systematically collecting and analyzing over 600 million unsolicited scan packets across 1,900 autonomous systems. Our methodology innovatively combines IPv6 address-space probing, AS-level mapping, and multi-dimensional protocol-stack feature analysis to empirically infer scanning source address discovery mechanisms and target selection strategies. We identify six characteristic scanning source classes, validate the discriminative power of five core network features, and uncover the target-generation strategies—and their longitudinal evolution—of mainstream scanners (e.g., ZMap, Masscan). These findings establish a critical empirical foundation for IPv6 threat detection, attribution, and defense.

We introduce new tools and vantage points to develop and integrate proactive techniques to attract IPv6 scan traffic, thus enabling its analysis. By deploying the largest-ever IPv6 proactive telescope in a production ISP network, we collected over 600M packets of unsolicited traffic from 1.9k Autonomous Systems in 10 months. We characterized the sources of unsolicited traffic, evaluated the effectiveness of five major features across the network stack, and inferred scanners' sources of target addresses and their strategies.