How dynamic are IP addresses

2008

We carried out an entropy study on the DNS query traffic from the outside for a university campus network to the top domain DNS server in a university through April 1st, 2007 to July 31st, 2008. The following interesting results are given: (1) The random spam bots have been still alive and/or active in the campus network because we can observe that the unique source IP addresses-based DNS traffic entropy increases as well as the unique DNS query keywords-based one decreases frequently. (2) We have also observed a lot of the reverse name resolution access from the specific site on the campus IP address range. Therefore, it can be concluded that in the campus network, the random spam bots are still active and the campus network is also targeted by the attackers.

IEEE Communications Surveys & Tutorials, 2018

Despite the ubiquitous role of domain name system (DNS) in sustaining the operations of various Internet services (domain name to IP address resolution, email, Web), DNS was abused/misused to perform large-scale attacks that affected millions of Internet users. To detect and prevent threats associated to DNS, researchers introduced passive DNS replication and analysis as an effective alternative approach for analyzing live DNS traffic. In this paper, we survey state of the art systems that utilized passive DNS traffic for the purpose of detecting malicious behaviors on the Internet. We highlight the main strengths and weaknesses of the implemented systems through an in-depth analysis of the detection approach, collected data, and detection outcomes. We highlight an incremental implementation pattern in the studied systems with similarities in terms of the used datasets and detection approach. Furthermore, we show that almost all studied systems implemented supervised machine learning (SML), which has its own limitations. In addition, while all surveyed systems required several hours or even days before detecting threats, we illustrate the ability to enhance performance by implementing a system prototype that utilize big data analytics frameworks to detect threats in near real-time. We demonstrate the feasibility of our threat detection prototype through real-life examples, and provide further insights for future work toward analyzing DNS traffic in near real-time.

2009

Accurately identifying spam campaigns launched by a large number of bots in a botnet allows for accurate spam campaign signature generation and hence is critical to defeating spamming botnets. The straight-forward approach of clustering all spam containing the same label such as an URL into a campaign can be easily defeated by techniques such as simple obfuscations of URLs. In this paper, we perform a comprehensive study of content-agnostic characteristics of spam campaigns, e.g., duration and source-network distribution of spammers, in order to ascertain whether and how they can assist the simple label-based clustering methods in identifying campaigns and generating campaign signatures. In particular, from a five-month trace collected by a relay sinkhole, we manually identified and then analyzed seven URL-based botnet spam campaigns consisting of 52 million spam messages sent over 2.09 million SMTP connections originated from over 150,000 non-proxy spamming hosts and destined to about 200,000 end domains. Our analysis shows that the spam campaigns, when observed from large destination domains, exhibit durations far longer than the five-day period as reported in a recent study. We analyze the implications of this finding on spam campaign signature generation. We further study other characteristics of these long-lasting campaigns. Our analysis reveals several new findings regarding workload distribution, sending patterns, and coordination among the spamming machines.

Proceedings of the 17th ACM SIGKDD international conference on Knowledge discovery and data mining - KDD '11, 2011

This paper addresses estimating the number of the users of a specific application behind IP addresses (IPs). This problem is central to combating abusive traffic, such as DDoS attacks, ad click fraud and email spam. We share our experience building a general framework at Google for estimating the number of users behind IPs, called hereinafter the sizes of the IPs. The primary goal of this framework is combating abusive traffic without violating the user privacy. The estimation techniques produce statistically sound estimates of sizes relying solely on passively mining aggregated application log data, without probing machines or deploying active content like Java applets. This paper also explores using the estimated sizes to detect and filter abusive traffic. The proposed framework was used to build and deploy an ad click fraud filter at Google. The first 50M clicks tagged by the filter had a significant recall of all tagged clicks, and their false positive rate was below 1.4%. For the sake of comparison, we simulated a naïve IP-based filter that does not consider the sizes of the IPs. To reach a comparable recall, the naïve filter's false positive rate was 37% due to aggressive tagging.

Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures. Recent works focus on recognizing automatically generated domains (AGDs) from DNS traffic, which potentially allows to identify previously unknown AGDs to hinder or disrupt botnets' communication capabilities.

In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and botnet membership. AutoRE does not require pre-classified training data or white lists. Moreover, it outputs high quality regular expression signatures that can detect botnet spam with a low false positive rate. Using a three-month sample of emails from Hotmail, AutoRE successfully identified 7,721 botnet-based spam campaigns together with 340,050 unique botnet host IP addresses.

Journal of Internet Services and Applications, 2015

Despite the continuous efforts to mitigate spam, the volume of such messages continues to grow and identifying spammers is still a challenge. Spam traffic analysis is an important tool in this context, allowing network administrators to understand the behavior of spammers, both as they obfuscate messages and try to hide inside the network. This work adds to that body of information by analyzing the sources of spam to understand to what extent they explain the traffic observed. Our results show that, in many cases, an Autonomous System (AS) represents an interesting neighborhood to observe, with most ASes falling into four basic types: heavy and light senders, which tend to have many or very few spammer machines respectively, frequent small offenders, where spammer machines appear every now and then but disappear in a short time, and conniving ASes, where most machines do not send spam, but a few are heavy, continuous senders. Not only that, but also by grouping machines based on the campaigns that they send together, we define the notion of SpamBands. Those bands identify groups of machines that are probably controlled by the same spammer, and our findings show that they often span multiple ASes. The identification of AS neighborhood types and SpamBands may simplify the combat against spam, focusing efforts at the sources as a whole, possibly improving blacklists by grouping machines found in a same AS or SpamBands.

2nd International Conference on Dependability of Computer Systems (DepCoS-RELCOMEX '07), 2007

E-mailing as one of the most popular Internet communication service is very prone to spamming, i.e. the process of flooding our mailboxes with unsolicited messages. Every day, separating good messages from those coming from spammers we waste time and resources. It is urgent to find out an effective method of fighting with spam that should take into account not only the currently used spammers' methods but also dynamic aspects of constantly changing spammers' behavior.

2004

Security; and has evoked great interest to the research community. Various classification based and signature based systems have been proposed for filtering spam and detecting viruses that cause spam. However, most of these techniques require content of an email or user profiles, thus involving in high privacy intrusiveness. In this paper, we address the problem of detecting machines that behave as sending spam. Our approach involves very low privacy intrusion as we look at only the border network flow data. We propose two kinds of techniques for detecting anomalous behavior. The first technique is applicable for single instance network flow graph. The second technique involves analyzing the evolving graph structures over a period of time. We have run our experiments on University of Minnesota border network flow. Our results on this real data set show that the techniques applied have been effective and also point to new directions of research in this area.

Proceedings of the 1st Usenix Workshop …, 2008

Understanding the spammer behavior is a critical step in the long-lasting battle against email spams. Previous studies have focused on setting up honeypots or email sinkholes containing destination mailboxes for spam collection. A spam trace collected this way offers the limited viewpoint from a single organizational domain and hence is short of reflecting the global behavior of spammers. In this paper, we present a spam analysis study using sinkholes based on open relays. A relay sinkhole offers a unique vantage point in spam collection: it has the broader view of spam originated from multiple spam origins destined to mailboxes belonging to multiple organizational domains. The trace collected using this methodology opens the door to study spammer behaviors that were difficult to do using spam collected from a single organization. Seeing the aggregate behavior of spammers allows us to systematically separate High-Volume Spammers (HVS, e.g. direct spammers) from Low-Volume Spammers (LVS, e.g. low-volume bots in a botnet). Such a separation in turn gives rise to the notion of "spam campaigns", which reveals how LVS appear to coordinate with each other to share the spamming workload among themselves. A detailed spam campaign analysis holds the promise of finally reverse engineering the workload distribution strategies by the LVS coordinator.