Patterns of Use and Abuse with IP Addresses

Saturday, July 10, 2010

Nathaniel Markowitz


This is the second in series of articles derived from the a graduate research project entitled "A Preliminary Survey of the Bulletproof Hosting Landscape." (Part 1: Bullet Proof Hosting: A Theoretical Model)

Authors: Nathaniel Markowitz, Jonathan Brown, Amanda Cummins, Erin Greathouse, Christopher Kanezo, David McIntire, Thomas Saly, Toby Taylor, Louis Ulrich, Desiree Williams

As with registrars, trends emerged in the abuse of IP addresses. It is not uncommon for legitimate domains to share IPs. This practice seems even more common for illegitimate domains.

In fact, several registrars registered domains (sometimes hundreds in a few days) that shared the same IP. Often, as was noted above, these domains also displayed identical content.

Thus, there was a relatively small distribution of IPs responsible for thousands of scam domains.

Legitimate registrars did not seem to have the same degree of IP overlap. Moreover, the Internet service providers (ISPs) hosting domains that were registered by seemingly legitimate companies were much more geographically distributed than their illegitimate counterparts.

Most of the malicious ISPs are located in China and Russia.

There was a consistent pattern such that if one scam domain was associated with a given IP, most if not all of the other domains associated with that IP were malicious. There were instances of legitimate domains using IPs that were also associated with these malicious domains—though this was definitely a minority occurrence.

Another interesting pattern was that the domains that were resolved to a given IP were often registered by the same handful of companies that had already been identified as moderately or heavily abused.

Research on registrars yielded a large number of domains associated with a handful of IPs. Further research into these IPs led to the discovery of many more domains also often associated with the same group of registrars.

Also important, domains often were not associated with a single IP for very long. Frequently, they migrated around a small subset of IPs. In many instances, domains were moved to an IP that had previously been associated with malicious domains.

Over the course of this research, the same IPs kept recurring rather frequently. The activities surrounding IPs describe an alternative form of BP hosting.

The traditional understanding is that such a host will refuse to take down domains, no matter what. The process of registering massive numbers of domains and assigning them to a single IP, and then shuffling those domains around a handful of other IPs (often utilizing the same NS infrastructure) allows operators to ensure that their content remains up while being indifferent to the status of particular domains.

This also adds a level of complexity for those who would seek to stop such activities, as a variety of organizations are involved and it is often difficult to determine which are participating in criminal activities deliberately.

It may not be enough to simply identify a criminal host and seek to shut it down without also addressing this general pattern of abuse.

For more information:


We would like to thank the University of Pittsburgh, Graduate School of Public and International Affairs for providing the resources to make this research project possible. We would also like to thank Palantir Technologies for allowing us to use their software in our analysis. Finally, a very special thanks goes to Matt Ziemniak and Jim Beiber for their patience, help and guidance and for creating a research environment that was both enriching and enjoyable.


Possibly Related Articles:
scams Enterprise Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.