📘 ❞ Identifying Dynamic IP Address Blocks Serendipitously through Background Scanning Traffic ❝ كتاب

عن كتاب Identifying Dynamic IP Address Blocks Serendipitously through Background Scanning Traffic:
Identifying Dynamic IP Address Blocks
Serendipitously through Background Scanning Traffic
Yu Jin, Esam Sharafuddin, Zhi-Li Zhang
University of Minnesota
ABSTRACT
Today’s Internet contains a large portion of “dynamic” IP
addresses, which are assigned to clients upon request. A sig-
nificant amount of malicious activities have been reported
from dynamic IP space, such as spamming, botnets, etc..
Accurate identification of dynamic IP addresses will help
us build blacklists of suspicious hosts with more confidence,
and help track the sources of different types of anomalous
activities. In this paper, we contrast traffic activity patterns
between static and dynamic IP addresses in a large campus
network, as well as their activity patterns when countering
outside scanning traffic. Based on the distinct character-
istics observed, we propose a scanning-based technique for
identifying dynamic IP addresses in blocks. We conduct an
experiment using a one-month data collected from our cam-
pus network, and instead of scanning our own network, we
utilize identified outside scanning traffic. The experiment
results demonstrate a high classification rate with low false
positive rate. As an on-going work, we also introduce our
design of an online classifier that identifies dynamic IP ad-
dresses in any network in real-time.
Knowledge of IP address assignments, e.g., whether IP
addresses within an address block are dynamically or stat-
ically assigned, can provide valuable information and hints
in managing and securing one’s network. For instance, on
the Internet at large, a significant amount of malicious ac-
tivities have been reported (see, e.g., [1–5]) from dynamic IP
addresses, such as spamming, botnets, and so forth. Infor-
mation regarding the source IP addresses of suspected mali-
cious activities (e.g., email spam) not only provides us with
more confidence in classifying such malicious activities, but
also allows us to associate multiple instances of such activi-
ties from the same dynamic address block over time to better
track the origins of attackers. Within a campus or enterprise
network, dynamic addresses are typically assigned to mobile
devices (e.g., laptops) which tend to roam and be used in
unprotected networks (e.g., the wireless hotspot in a coffee
shop or at home), thus are more likely to get infected with
malware. Hence, knowledge of such address blocks can assist
network operators/security analysts of a campus/enterprise
network in focusing additional scrutiny to suspicious activ-
ities on these blocks, detecting and preventing attacks from
inside (compromised) hosts. For the purpose of profiling
the activities and behavior of hosts within a network [6, 7],
knowledge of dynamic and static addresses is also important
in building and associating behavior models to appropriate
hosts for anomaly detection and behavior tracking.
Information regarding whether an IP address is dynamic
or not may not be readily available, even for those within
one’s own network. This is particularly true for large net-
works with decentralized management, where large blocks of
addresses are allocated and delegated to sub-organizations
which control and manage how these addresses are assigned
and utilized. While it is possible to infer whether an IP
address is dynamic or static by its DNS name, such an ap-
proach may not always be feasible nor accurate for a variety
of reasons. Not all IP addresses have DNS names assigned
or registered. Furthermore, from the DNS name, it may not
be completely clear whether an IP address is dynamic or
static. In addition, DNS records are not always kept up-to-
date. Hence, alternative methods for accurately classifying
IP addresses, in particular for identifying dynamic IP ad-
dresses, are needed.
In this paper, we investigate the feasibility of classifying
IP addresses based on “usage patterns” or “traffic activities”
on a large campus network. More specifically, we consider
the following problem setting. Suppose that at a certain
vantage (e.g., a border router of a campus network), we
can passively observe – and if necessary, inject active probes
– traffic coming into or going out of a particular address
block (of an appropriate size, say, /24 or /28). Is it possi-
ble to infer and classify the said address block as dynamic
or static based solely on such observations? Here, in ac-
cordance within common practice, we assume that the ad-
dresses within the whole contiguous block, typically in size
of 2k, for some (relatively) small k, e.g., k = 3, 4, . . . , 8,
are assigned as dynamic (i.e., allocated to hosts via DHCP
with a limited lease time), or static (i.e., allocated to hosts
“permanently”). To answer this question, we extract and
analyze the traffic activities of dynamic and static address
blocks of a large campus network with diversified user pop-
ulation and usage patterns, utilizing a month-long netflow
data collected at the campus border router.
As the basis for our study, we first perform an exhaustive
DNS look-up to extract the registered DNS name, if avail-
able, of each IP address of a class B address block within the
campus network. We develop a simple name-based heuristic
to classify individual IP addresses into four groups, Dynamic
and Static, as well as NoName which contains IP addresses
with no registered DNS names, and Undecided which con-
tains those IP addresses we cannot classify with high con-
fidence whether they are static or dynamic based on their