Yinglian Xie
ABSTRACT
This paper introduces a novel algorithm, UDmap, to identify dynamically assigned IP addresses and analyze their dynamics pattern. UDmap is fully automatic, and relies only on application-level server logs. We applied UDmap to a month-long Hotmail user-login trace and identified a significant number of dynamic IP addresses - more than 102 million. This suggests that the fraction of IP addresses that are dynamic is by no means negligible. Using this information in combination with a three-month Hotmail email server log, we were able to establish that 95.6% of mail servers setup on the dynamic IP addresses in our trace sent out solely spam emails. Moreover, these mail servers sent out a large amount of spam - amounting to 42.2% of all spam emails received by Hotmail. These results highlight the importance of being able to accurately identify dynamic IP addresses for spam filtering. We expect similar benefits to arise for phishing site identification and botnet detection. To our knowledge, this is the first successful attempt to automatically identify and understand IP address dynamics.
- Multi-DNSBL Lookup. http://www.completewhois.com/rbl_lookup.htm.Google Scholar
- Braunson. Guide To Change Your IP Address (Part 2). http://totaldream.org/index.php?page=articles&view=article&id=101, 2006.Google Scholar
- M. Casado and M. J. Freedman. Peering through the Shroud: The Effect of Edge Opacity on IP-based Client Identification. In Proc. 4th USENIX/ACM Symposium on Networked Systems Design and Implementation (NSDI), 2007. Google ScholarDigital Library
- K. R. Castleman. Digital Image Processing. New Jersey: Prentice Hall, 1996. Google ScholarDigital Library
- Cisco Network Registrar User's Guide. http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/products_user_guide_list.html.Google Scholar
- R. Droms. Dynamic Host Configuration Protocol. RFC 2131: http://www.dhcp.org, 1997.Google Scholar
- Dynablock Dynamic IP list. http://www.njabl.org, recently aquired by Spamhaus, http://www.spamhaus.org/pbl/index.lasso, 2007.Google Scholar
- J. Evers. Most Spam Still Coming From the U.S. http://news.com/Most+spam+still+coming+from+the+U.S./2100-1029_3-6030758.html, 2006.Google Scholar
- S. Foo, S. C. Hui, S. W. Yip, and Y. He. Approaches for Resolving Dynamic IP Addressing. Internet Research: Electronic Networking Applications and Policy, 7(3):208--216, 1997.Google Scholar
- M. Freedman, M. Vutukuru, N. Feamster, and H. Balakrishnan. Geographic Locality of IP Prefixes. In Proc. of the ACM Internet Measurement Conference (IMC), 2005. Google ScholarDigital Library
- J. Hovold. Naive Bayes Spam Filtering Using Word Position Attributes. In Conference on Email and Anti-Spam, 2005.Google Scholar
- IDC Netwurx. http://www.idcnet.com, 2006.Google Scholar
- J. Jung and E. Sit. An Empirical Study of Spam Traffic and the Use of DNS Black Lists. In Proc. of the ACM Internet Measurement Conference (IMC), 2004. Google ScholarDigital Library
- T. Kohno, A. Broido, and K. Claffy. Remote Physical Device Fingerprinting. In IEEE Symposium on Security and Privacy, 2005. Google ScholarDigital Library
- B. Krishnamurthy and J. Wang. On Network-Aware Clustering of Web Clients. In Proc. of Sigcomm, 2000. Google ScholarDigital Library
- H. Lee and A. Y. Ng. Spam Deobfuscation Using a Hidden Markov Model. In Conference on Email and Anti-Spam, 2005.Google Scholar
- F. Li and M. H. Hsieh. An Empirical Study of Clustering Behavior of Spammers and Group-based Anti-Spam Strategies. In Conference on Email and Anti-Spam, 2006.Google Scholar
- D. Lowd and C. Meek. Good Word Attacks on Statistical Spam Filters. In Conference on Email and Anti-Spam, 2005.Google Scholar
- D. Majoras, T. B. Leary, P. J. Harbour, and J. Leibowitz. Effectiveness and Enforcement of the CAN-SPAM Act: A Report to Congress. http://www.ftc.gov/bcp/conline/edcams/spam/reports.htm, 2005.Google Scholar
- V. N. Padmanabhan and L. Subramanian. An Investigation of Geographic Mapping Techniques for Internet Hosts. In Proc. of Sigcomm, 2001. Google ScholarDigital Library
- Postini Message Security and Management Update for October Reveals that Spam is Back with a Vengeance. http://postini.com/news events/pr/pr110606.php,2006.Google Scholar
- A. Ramachandran, D. Dagon, and N. Feamster. Can DNSBased Blacklists Keep Up with Bots? In Conference on Email and Anti-Spam, 2006.Google Scholar
- A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. In Proc. of Sigcomm, 2006. Google ScholarDigital Library
- A. Ramachandran, N. Feamster, and D. Dagon. Revealing Botnet Membership Using DNSBL Counter-Intelligence. In 2nd Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2006. Google ScholarDigital Library
- Route Views Project. http://www.routeviews.org.Google Scholar
- V. Sekar, Y. Xie, M. K. Reiter, and H. Zhang. A Multi-Resolution Approach for Worm Detection and Containment. In DSN, 2006. Google ScholarDigital Library
- M. Sullivan and L. Munoz. Suggested Generic DNS Naming Schemes for Large Networks and Unassigned Hosts. RFC draft: http://tools.ietf.org/wg/dnsop/draft-msullivan-dnsop-generic-naming-schemes-00.txt, 2006.Google Scholar
- The Apache Spam Assassin Project. http://spamassassin.apache.org.Google Scholar
- Trend Micro Inc, Mail Abuse Prevention System. http://www.trendmicro.com/en/products/global/kelkea.htm.Google Scholar
- Whois.net - Domain Research Tools. http://www.whois.net.Google Scholar
- M. Xie, H. Yin, and H. Wang. An Effective Defense Against Email Spam Laundering. In Proc. of the ACM Computer and Communications Security (CCS), 2006. Google ScholarDigital Library
- Y. Xie, V. Sekar, D. Maltz, M. Reiter, and H. Zhang. Worm Origin Identification Using Random Moonwalks. In Proc. of the IEEE Symposium on Security and Privacy, 2005. Google ScholarDigital Library
Index Terms
- How dynamic are IP addresses?
Recommendations
Reasons Dynamic Addresses Change
IMC '16: Proceedings of the 2016 Internet Measurement ConferenceApplications often use IP addresses as end host identifiers based on the assumption that IP addresses do not change frequently, even when dynamically assigned. The validity of this assumption depends upon the duration of time that an IP address ...
How dynamic are IP addresses?
This paper introduces a novel algorithm, UDmap, to identify dynamically assigned IP addresses and analyze their dynamics pattern. UDmap is fully automatic, and relies only on application-level server logs. We applied UDmap to a month-long Hotmail user-...
Populated IP addresses: classification and applications
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications securityPopulated IP addresses (PIP) -- IP addresses that are associated with a large number of user requests are important for online service providers to efficiently allocate resources and to detect attacks. While some PIPs serve legitimate users, many others ...
Comments