Detecting Dynamic IP Addresses Using the Sequential Characteristics of PTR Records

Tomofumi Nakamori, Daiki Chiba, Mitsuaki Akiyama, Shigeki Goto

Abstract


Many cyberattacks are conducted using malware-infected hosts. Most of such malware-infected hosts comprise end-user devices, e.g., PCs, mobile devices, and IoT devices. In today’s Internet, the IP addresses of most end users are dynamic IP addresses that are allocated by Internet service providers (ISPs). Some countermeasures against cyberattacks use IP addresses as the unique indicators of infected hosts. However, the same dynamic IP address is not always reallocated to the same host owing to the settings and policies of ISPs. Therefore, detecting dynamic IP address blocks accurately is necessary to take appropriate countermeasures against cyberattacks. In conventional methods, dynamic IP address blocks are detected by matching a PTR record of the target IP address with predefined keywords that indicate dynamic allocation. However, these keywords do not always match the PTR records of dynamic IP addresses. Sometimes, they falsely match non-dynamic IP addresses. In this study, we propose a new method that detects dynamic IP address blocks more accurately and with a greater coverage than the conventional methods. Our method focuses on a unique feature of dynamic IP addresses: the PTR records of dynamic IP address blocks are sequentially configured by their administrators. The performance of our method was validated through evaluation using real and manually labeled data.

Full Text:

PDF

References


Ramakrishna Padmanabhan, Amogh Dhamdhere, Emile Aben, kc claffy, and Neil Spring. Reasons dynamic addresses change. In Phillipa Gill, John S. Heidemann, John W. Byers, and Ramesh Govindan, editors, Proceedings of the 2016 ACM on Internet Measurement Conference, IMC 2016, Santa Monica, CA, USA, November 14-16, 2016, pp. 183– 198. ACM, 2016.

SPAMHAUS. The spamhaus project ltd., the spamhaus project. https://www.spamhaus.org/.

SPAMHAUS. The spamhaus project ltd., compoist blocking list. http://www.abuseat.org/.

SORBS. Spam and open relay blocking system (sorbs). http://www.sorbs.net/.

Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Mois´es Goldszmidt, and Ted Wobber. How dynamic are IP addresses? In Jun Murai and Kenjiro Cho, editors, Proceedings of the ACM SIGCOMM 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Kyoto, Japan, August 27-31, 2007, pp. 301–312. ACM, 2007.

Philipp Richter, Georgios Smaragdakis, David Plonka, and Arthur W. Berger. Beyond counting: New perspectives on the active ipv4 address space. In Phillipa Gill, John S. Heidemann, John W. Byers, and Ramesh Govindan, editors, Proceedings of the 2016 ACM on Internet Measurement Conference, IMC 2016, Santa Monica, CA, USA, November 14-16, 2016, pp. 135–149. ACM, 2016.

Yu Jin, Esam Sharafuddin, and Zhi-Li Zhang. Identifying dynamic IP address blocks serendipitously through background scanning traffic. In Jim Kurose and Henning Schulzrinne, editors, Proceedings of the 2007 ACM Conference on Emerging Network Experiment and Technology, CoNEXT 2007, New York, NY, USA, December 10-13, 2007, p. 4. ACM, 2007.

Xue Cai and John S. Heidemann. Understanding block-level address usage in the visible internet. In Shivkumar Kalyanaraman, Venkata N. Padmanabhan, K. K. Ramakrishnan, Rajeev Shorey, and Geoffrey M. Voelker, editors, Proceedings of the ACM SIGCOMM 2010 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, New Delhi, India, August 30 -September 3, 2010, pp. 99–110. ACM, 2010.

Akamai. Attack spotlight: An internet of things botnet. https://www.akamai.com/us/en/multimedia/documents/state-of

-the-internet/attack-spotlight-internet-of-things-botnet-threat-advisory.pdf.

Antonakakis Manos, April Tim, Bailey Michael, Bernhard Matt, Bursztein Elie, Cochran Jaime, Durumeric Zakir, Halderman J. Alex, Invernizzi Luca, Kallitsis Michalis, Kumar Deepak, Lever Chaz, Ma Zane, Mason Joshua, Menscher Damian, Seaman Chad, Sullivan Nick, Thomas Kurt, and Zhou Yi. Understanding the mirai botnet. In Kirda Engin and Ristenpart Thomas, editors, 26th USENIX Security

Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017., pp. 1093–1110. USENIX Association, 2017.

MAX MIND. Geolite legacy downloadable databases. https://dev.maxmind.com/geoip/legacy/geolite/.

Daiki Chiba, Mitsuaki Akiyama, Takeshi Yagi, Kunio Hato, Tatsuya Mori, and Shigeki Goto. Domainchroma: Building actionable threat intelligence from malicious domain names. Computers & Security, Vol. 77, pp. 138 – 161, 2018.

Mozilla Foundation. Public suffix list. https://publicsuffix.org/.

Harvard University. Jaro-winkler distance. https://scholar.harvard.edu/jfeigenbaum/software/jaro-winkler-distance.

Matthew A. Jaro. Advances in record-linkage methodology as applied to matching the 1985 census of tampa, florida. Journal of the American Statistical Association, Vol. 84, No. 406, pp. 414–420, 1989.

Matthew A. Jaro. Probabilistic linkage of large public health data files. Statistics in Medicine, Vol. 14, No. 5–7, pp. 491–498.

William E. Winkler. String comparator metrics and enhanced decision rules in the fellegi-sunter model of record linkage. In Proceedings of the Section on Survey Research, pp. 354–359, 1990.

William E. Winkler. Overview of record linkage and current research directions. Technical report, February 2006.

Ryan Grove. RawGit. https://rawgit.com/ztane/python-Levenshtein/master/docs/Levenshtein.html.

Rapid7. Reverse dns (rdns). https://opendata.rapid7.com/sonar.rdnsn_v2/.

Hideo Asami. Study report of an anti-spam system with a

% block rate. http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html.


Refbacks

  • There are currently no refbacks.