كتاب Identifying Dynamic IP Address Blocks Serendipitously through Background Scanning Traffic

Identifying Dynamic IP Address Blocks Serendipitously through Background Scanning Traffic Yu Jin, Esam Sharafuddin, Zhi-Li Zhang University of Minnesota ABSTRACT Today’s Internet contains a large portion of “dynamic” IP addresses, which are assigned to clients upon request. A sig- nificant amount of malicious activities have been reported from dynamic IP space, such as spamming, botnets, etc.. Accurate identification of dynamic IP addresses will help us build blacklists of suspicious hosts with more confidence, and help track the sources of different types of anomalous activities. In this paper, we contrast traffic activity patterns between static and dynamic IP addresses in a large campus network, as well as their activity patterns when countering outside scanning traffic. Based on the distinct character- istics observed, we propose a scanning-based technique for identifying dynamic IP addresses in blocks. We conduct an experiment using a one-month data collected from our cam- pus network, and instead of scanning our own network, we utilize identified outside scanning traffic. The experiment results demonstrate a high classification rate with low false positive rate. As an on-going work, we also introduce our design of an online classifier that identifies dynamic IP ad- dresses in any network in real-time. 1. INTRODUCTION Knowledge of IP address assignments, e.g., whether IP addresses within an address block are dynamically or stat- ically assigned, can provide valuable information and hints in managing and securing one’s network. For instance, on the Internet at large, a significant amount of malicious ac- tivities have been reported (see, e.g., [1–5]) from dynamic IP addresses, such as spamming, botnets, and so forth. Infor- mation regarding the source IP addresses of suspected mali- cious activities (e.g., email spam) not only provides us with more confidence in classifying such malicious activities, but also allows us to associate multiple instances of such activi- ties from the same dynamic address block over time to better track the origins of attackers. Within a campus or enterprise network, dynamic addresses are typically assigned to mobile devices (e.g., laptops) which tend to roam and be used in unprotected networks (e.g., the wireless hotspot in a coffee shop or at home), thus are more likely to get infected with malware. Hence, knowledge of such address blocks can assist network operators/security analysts of a campus/enterprise network in focusing additional scrutiny to suspicious activ- ities on these blocks, detecting and preventing attacks from inside (compromised) hosts. For the purpose of profiling the activities and behavior of hosts within a network [6, 7], knowledge of dynamic and static addresses is also important in building and associating behavior models to appropriate hosts for anomaly detection and behavior tracking. Information regarding whether an IP address is dynamic or not may not be readily available, even for those within one’s own network. This is particularly true for large net- works with decentralized management, where large blocks of addresses are allocated and delegated to sub-organizations which control and manage how these addresses are assigned and utilized. While it is possible to infer whether an IP address is dynamic or static by its DNS name, such an ap- proach may not always be feasible nor accurate for a variety of reasons. Not all IP addresses have DNS names assigned or registered. Furthermore, from the DNS name, it may not be completely clear whether an IP address is dynamic or static. In addition, DNS records are not always kept up-to- date. Hence, alternative methods for accurately classifying IP addresses, in particular for identifying dynamic IP ad- dresses, are needed. In this paper, we investigate the feasibility of classifying IP addresses based on “usage patterns” or “traffic activities” on a large campus network. More specifically, we consider the following problem setting. Suppose that at a certain vantage (e.g., a border router of a campus network), we can passively observe – and if necessary, inject active probes – traffic coming into or going out of a particular address block (of an appropriate size, say, /24 or /28). Is it possi- ble to infer and classify the said address block as dynamic or static based solely on such observations? Here, in ac- cordance within common practice, we assume that the ad- dresses within the whole contiguous block, typically in size of 2k, for some (relatively) small k, e.g., k = 3, 4, . . . , 8, are assigned as dynamic (i.e., allocated to hosts via DHCP with a limited lease time), or static (i.e., allocated to hosts “permanently”). To answer this question, we extract and analyze the traffic activities of dynamic and static address blocks of a large campus network with diversified user pop- ulation and usage patterns, utilizing a month-long netflow data collected at the campus border router. As the basis for our study, we first perform an exhaustive DNS look-up to extract the registered DNS name, if avail- able, of each IP address of a class B address block within the campus network. We develop a simple name-based heuristic to classify individual IP addresses into four groups, Dynamic and Static, as well as NoName which contains IP addresses with no registered DNS names, and Undecided which con- tains those IP addresses we cannot classify with high con- fidence whether they are static or dynamic based on their
-
من كتب الهندسة - مكتبة كتب الهندسة والتكنولوجيا.