skip to main content
10.1145/1282380.1282415acmconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
Article
Free access

How dynamic are IP addresses?

Published: 27 August 2007 Publication History

Abstract

This paper introduces a novel algorithm, UDmap, to identify dynamically assigned IP addresses and analyze their dynamics pattern. UDmap is fully automatic, and relies only on application-level server logs. We applied UDmap to a month-long Hotmail user-login trace and identified a significant number of dynamic IP addresses - more than 102 million. This suggests that the fraction of IP addresses that are dynamic is by no means negligible. Using this information in combination with a three-month Hotmail email server log, we were able to establish that 95.6% of mail servers setup on the dynamic IP addresses in our trace sent out solely spam emails. Moreover, these mail servers sent out a large amount of spam - amounting to 42.2% of all spam emails received by Hotmail. These results highlight the importance of being able to accurately identify dynamic IP addresses for spam filtering. We expect similar benefits to arise for phishing site identification and botnet detection. To our knowledge, this is the first successful attempt to automatically identify and understand IP address dynamics.

References

[1]
Multi-DNSBL Lookup. http://www.completewhois.com/rbl_lookup.htm.
[2]
Braunson. Guide To Change Your IP Address (Part 2). http://totaldream.org/index.php?page=articles&view=article&id=101, 2006.
[3]
M. Casado and M. J. Freedman. Peering through the Shroud: The Effect of Edge Opacity on IP-based Client Identification. In Proc. 4th USENIX/ACM Symposium on Networked Systems Design and Implementation (NSDI), 2007.
[4]
K. R. Castleman. Digital Image Processing. New Jersey: Prentice Hall, 1996.
[5]
Cisco Network Registrar User's Guide. http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/products_user_guide_list.html.
[6]
R. Droms. Dynamic Host Configuration Protocol. RFC 2131: http://www.dhcp.org, 1997.
[7]
Dynablock Dynamic IP list. http://www.njabl.org, recently aquired by Spamhaus, http://www.spamhaus.org/pbl/index.lasso, 2007.
[8]
J. Evers. Most Spam Still Coming From the U.S. http://news.com/Most+spam+still+coming+from+the+U.S./2100-1029_3-6030758.html, 2006.
[9]
S. Foo, S. C. Hui, S. W. Yip, and Y. He. Approaches for Resolving Dynamic IP Addressing. Internet Research: Electronic Networking Applications and Policy, 7(3):208--216, 1997.
[10]
M. Freedman, M. Vutukuru, N. Feamster, and H. Balakrishnan. Geographic Locality of IP Prefixes. In Proc. of the ACM Internet Measurement Conference (IMC), 2005.
[11]
J. Hovold. Naive Bayes Spam Filtering Using Word Position Attributes. In Conference on Email and Anti-Spam, 2005.
[12]
IDC Netwurx. http://www.idcnet.com, 2006.
[13]
J. Jung and E. Sit. An Empirical Study of Spam Traffic and the Use of DNS Black Lists. In Proc. of the ACM Internet Measurement Conference (IMC), 2004.
[14]
T. Kohno, A. Broido, and K. Claffy. Remote Physical Device Fingerprinting. In IEEE Symposium on Security and Privacy, 2005.
[15]
B. Krishnamurthy and J. Wang. On Network-Aware Clustering of Web Clients. In Proc. of Sigcomm, 2000.
[16]
H. Lee and A. Y. Ng. Spam Deobfuscation Using a Hidden Markov Model. In Conference on Email and Anti-Spam, 2005.
[17]
F. Li and M. H. Hsieh. An Empirical Study of Clustering Behavior of Spammers and Group-based Anti-Spam Strategies. In Conference on Email and Anti-Spam, 2006.
[18]
D. Lowd and C. Meek. Good Word Attacks on Statistical Spam Filters. In Conference on Email and Anti-Spam, 2005.
[19]
D. Majoras, T. B. Leary, P. J. Harbour, and J. Leibowitz. Effectiveness and Enforcement of the CAN-SPAM Act: A Report to Congress. http://www.ftc.gov/bcp/conline/edcams/spam/reports.htm, 2005.
[20]
V. N. Padmanabhan and L. Subramanian. An Investigation of Geographic Mapping Techniques for Internet Hosts. In Proc. of Sigcomm, 2001.
[21]
Postini Message Security and Management Update for October Reveals that Spam is Back with a Vengeance. http://postini.com/news events/pr/pr110606.php,2006.
[22]
A. Ramachandran, D. Dagon, and N. Feamster. Can DNSBased Blacklists Keep Up with Bots? In Conference on Email and Anti-Spam, 2006.
[23]
A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. In Proc. of Sigcomm, 2006.
[24]
A. Ramachandran, N. Feamster, and D. Dagon. Revealing Botnet Membership Using DNSBL Counter-Intelligence. In 2nd Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2006.
[25]
Route Views Project. http://www.routeviews.org.
[26]
V. Sekar, Y. Xie, M. K. Reiter, and H. Zhang. A Multi-Resolution Approach for Worm Detection and Containment. In DSN, 2006.
[27]
M. Sullivan and L. Munoz. Suggested Generic DNS Naming Schemes for Large Networks and Unassigned Hosts. RFC draft: http://tools.ietf.org/wg/dnsop/draft-msullivan-dnsop-generic-naming-schemes-00.txt, 2006.
[28]
The Apache Spam Assassin Project. http://spamassassin.apache.org.
[29]
Trend Micro Inc, Mail Abuse Prevention System. http://www.trendmicro.com/en/products/global/kelkea.htm.
[30]
Whois.net - Domain Research Tools. http://www.whois.net.
[31]
M. Xie, H. Yin, and H. Wang. An Effective Defense Against Email Spam Laundering. In Proc. of the ACM Computer and Communications Security (CCS), 2006.
[32]
Y. Xie, V. Sekar, D. Maltz, M. Reiter, and H. Zhang. Worm Origin Identification Using Random Moonwalks. In Proc. of the IEEE Symposium on Security and Privacy, 2005.

Cited By

View all
  • (2024)AI-URG: Account Identity-Based Uncertain Graph Framework for Fraud DetectionIEEE Transactions on Computational Social Systems10.1109/TCSS.2023.332573911:3(3706-3728)Online publication date: Jun-2024
  • (2024)Expertise hubs and the credibility challenge for open-source intelligence: insights from usage patterns of a web-controlled radio receiver and related Twitter traffic in the Ukraine warEuropean Security10.1080/09662839.2024.2421262(1-21)Online publication date: 11-Nov-2024
  • (2024)Beneath the Facade of IP Leasing: Graph-Based Approach for Identifying Malicious IP BlocksComputational Science – ICCS 202410.1007/978-3-031-63759-9_6(46-53)Online publication date: 29-Jun-2024
  • Show More Cited By

Index Terms

  1. How dynamic are IP addresses?

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SIGCOMM '07: Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
    August 2007
    432 pages
    ISBN:9781595937131
    DOI:10.1145/1282380
    • cover image ACM SIGCOMM Computer Communication Review
      ACM SIGCOMM Computer Communication Review  Volume 37, Issue 4
      October 2007
      420 pages
      ISSN:0146-4833
      DOI:10.1145/1282427
      Issue’s Table of Contents
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 27 August 2007

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. DHCP
    2. IP volatility
    3. dynamic IP addresses
    4. entropy
    5. spam detection

    Qualifiers

    • Article

    Conference

    SIGCOMM07
    Sponsor:
    SIGCOMM07: ACM SIGCOMM 2007 Conference
    August 27 - 31, 2007
    Kyoto, Japan

    Acceptance Rates

    Overall Acceptance Rate 462 of 3,389 submissions, 14%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)682
    • Downloads (Last 6 weeks)64
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)AI-URG: Account Identity-Based Uncertain Graph Framework for Fraud DetectionIEEE Transactions on Computational Social Systems10.1109/TCSS.2023.332573911:3(3706-3728)Online publication date: Jun-2024
    • (2024)Expertise hubs and the credibility challenge for open-source intelligence: insights from usage patterns of a web-controlled radio receiver and related Twitter traffic in the Ukraine warEuropean Security10.1080/09662839.2024.2421262(1-21)Online publication date: 11-Nov-2024
    • (2024)Beneath the Facade of IP Leasing: Graph-Based Approach for Identifying Malicious IP BlocksComputational Science – ICCS 202410.1007/978-3-031-63759-9_6(46-53)Online publication date: 29-Jun-2024
    • (2024)Ebb and Flow: Implications of ISP Address DynamicsPassive and Active Measurement10.1007/978-3-031-56252-5_7(132-149)Online publication date: 11-Mar-2024
    • (2023)Inferring Changes in Daily Human Activity from Internet ResponseProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624796(627-644)Online publication date: 24-Oct-2023
    • (2023)Evaluating IP Blacklists Effectiveness2023 10th International Conference on Future Internet of Things and Cloud (FiCloud)10.1109/FiCloud58648.2023.00056(336-343)Online publication date: 14-Aug-2023
    • (2021)Down for failureFuture Generation Computer Systems10.1016/j.future.2021.06.055125:C(629-640)Online publication date: 1-Dec-2021
    • (2020)Detecting and Understanding Online Advertising Fraud in the WildIEICE Transactions on Information and Systems10.1587/transinf.2019ICP0008E103.D:7(1512-1523)Online publication date: 1-Jul-2020
    • (2020)Quantifying the Impact of Blocklisting in the Age of Address ReuseProceedings of the ACM Internet Measurement Conference10.1145/3419394.3423657(360-369)Online publication date: 27-Oct-2020
    • (2020)Quantifying autonomous system IP churn using attack traffic of botnetsProceedings of the 15th International Conference on Availability, Reliability and Security10.1145/3407023.3407051(1-10)Online publication date: 25-Aug-2020
    • Show More Cited By

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media