Internet-Scale Measurement of Public gRPC Deployments
Affiliation: Bad Data Lab – University of Maryland, College Park
Contact: baddatalab@umd.edu
We are a research group at University of Maryland, College Park conducting an
academic Internet measurement study on the public deployment of gRPC services.
The purpose of this work is purely scientific.
We understand that many IDS/IPS systems may classify Internet-wide scanning as suspicious activity,
and we are providing this page to ensure transparency and make it easy to contact us or opt out.
1. Research Objective
This academic study measures the global deployment of publicly accessible
gRPC-based services. Our goal is to understand the security risks of these services and propose actionable improvements (e.g. use of TLS or authentication mechanisms where appropriate). Similar Internet-wide measurement scans have been conducted in prior academic work 3.
2. Opt-Out Requests
The following hosts and IP addresses are used for this study:
research-scan-01.umd-grpc-research.org — 134.209.63.62
research-scan-02.umd-grpc-research.org — 144.126.196.115
If you are a network operator and wish to exclude your IP ranges from our measurements,
please email baddatalab@umd.edu and include the relevant IP range(s). We honor opt-out requests promptly.
If you have any further questions or recommendations, we would be happy to hear from you.
3. Methodology & Ethical Safeguards
This study follows widely used ethical guidance for Internet measurement research, including
the Menlo Report1
and Partridge & Allman2. Our scope is limited to IPv4 address space; selected ports are probed to identify potential gRPC services. We send limited protocol requests (such as ServerReflection where enabled) solely to classify services. Probing is rate-limited and designed to avoid operational impact.
- We do not attempt authentication bypass, brute-force attacks, privilege escalation, or data extraction.
- We collect only metadata needed for aggregate analysis (e.g., IP address, port, timestamp, protocol indicators, and ServerReflection responses). We do not collect application data, user content, credentials, or business information.
4. Responsible Disclosure
If we identify configurations that may pose security risks, we make reasonable
efforts to notify affected parties responsibly.
References
-
D. Dittrich and E. Kenneally,
The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research,
U.S. Department of Homeland Security, 2012.
-
C. Partridge and M. Allman,
“Ethical Considerations in Network Measurement Papers,”
Communications of the ACM, 2016.
-
Z. Durumeric, E. Wustrow, and J. A. Halderman,
“ZMap: Fast Internet-wide Scanning and Its Security Applications,”
in Proceedings of the 22nd USENIX Security Symposium ,
2013.