Presentation is loading. Please wait.

Presentation is loading. Please wait.

How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park 2007. 11. 09.

Published byRoland Reeves Modified over 8 years ago

Similar presentations

Presentation on theme: "How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park 2007. 11. 09."— Presentation transcript:

1 How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park 2007. 11. 09. chpark@mmlab.snu.ac.kr

2 2 / 19 Contents  Introduction  Related work  UDMap algorithm  IP Dynamics  Spam and IP dynamics  Conclusion

3 3 / 19 Introduction  Tracking host IP Malicious host identification Network forensic analysis  Basis - IP address are static! Is this true?

4 4 / 19 Introduction  Motivation Lots of spam mail servers use dynamic IPs Blocking-based spam filtering system may not be efficient  Purpose of UDMap Quantify the IP dynamics Automatic method for obtaining IP dynamics

5 5 / 19 Related work  UDMap is the first attemption to automatically detect dynamic IPs  Reverse DNS Maps IP address to host domain name From the domain name, guess the static/dynamic state of the IP address  Dynablock Database of dialup user lists

6 6 / 19 UDMap Algorithm  Definition IP dynamics  Dynamic behavior of the mapping between IP and a host over time IP volatility  Rate of IP is assigned to different hosts  Input IP addresses Persistent identification for hosts

7 7 / 19 UDMap : Multi-User IP Block selection  Rule 1 A block of IP must belong to the same AS and same prefix  Rule 2 Size of block should be bigger than a specific size  Rule 3 A block must have no gaps  Gap : continuous IPs in a block, which is neither observed in the input data, nor used a single hotmail user

8 8 / 19 UDMap : IP Usage-Entropy Computation  Multiple users with the same IP Dynamic IP assigned to multiple users over time Host with static IP is shared by multiple users  If the IP is dynamic IP, then users of that IP will use another dynamic IPs over time

9 9 / 19 UDMap : IP Usage-Entropy Computation  Normalized usage-entropy close to 1 : That IP address is a dynamic IP

10 10 / 19 UDMap : Dynamic IP block identification  Divide block into sub-blocks Pick a sub-block of addresses with larger usage-entropies than a threshold

11 11 / 19 UDMap : Volatility estimation and proxy removal  Estimate frequency at which host identity changes with respect to an IP # of Hotmail users that have used this address in input data Average Hotmail inter-user duration between two users using the same IP  Removes two false-positive Proxies Internet café case

12 12 / 19 UDMap Validation : UDMap IP blocks  Input 250 million hotmail users 155 million IP addresses (span over 20,167 ASes)  UDMap returned 102 million addresses, and 95 million addresses are in the data 61.4% of addresses are dynamic IPs

13 13 / 19 UDMap Validation : Validation  Validation of UDMap result with reverse DNS Dynablock database

14 14 / 19 Understanding IP dynamics  Relatively small region occupies large portion of dynamic addresses

15 15 / 19 Understanding IP dynamics  Only 20% of dynamic IPs are used by a single user

16 16 / 19 Understanding IP dynamics  Dynamic IP assignment Dialup user > DSL user > Cable modem user

17 17 / 19 IP Dynamics and SPAM detection  Two categories of email server IPs Identified dynamic (by Dynablock or UDMap) Likely static  Distribution over IP address space, two categories looks similar Filtering by address range may be inefficient

18 18 / 19 IP Dynamics and SPAM detection  92% of emails from dynamic IPs are spam! 95% of sessions from UDMap IP used to send spam ONLY

19 19 / 19 Conclusion  Understanding IP dynamics can be helpful against spam email servers Most of spam email servers are using dynamic IPs  UDMap is a first automatic tool for tracking IP dynamics

Download ppt "How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park 2007. 11. 09."

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5.

© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium.

Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium.
BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,
Detecting the Domain Structure of Proteins from Sequence Information Niranjan Nagarajan and Golan Yona Department of Computer Science Cornell University.

Detecting the Domain Structure of Proteins from Sequence Information Niranjan Nagarajan and Golan Yona Department of Computer Science Cornell University.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Computer Concepts 2014 Chapter 6 The Internet. 6 Chapter Contents  Section A: Internet Technology  Section B: Fixed Internet Access Chapter 6: The Internet2.

Computer Concepts 2014 Chapter 6 The Internet. 6 Chapter Contents  Section A: Internet Technology  Section B: Fixed Internet Access Chapter 6: The Internet2.
DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) BY: SAMHITA KAW IS 373.

DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) BY: SAMHITA KAW IS 373.
S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework.

S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework.
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.

A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.
Subnet & Classless Address Extensions Linda Wu (CMPT 471 2003-3)

Subnet & Classless Address Extensions Linda Wu (CMPT )

Similar presentations

Ads by Google