Detecting Dynamic IP Addresses and Cloud Blocks Using the Sequential Characteristics of PTR Records

Abstract

Malware-infected hosts are used to conduct many types of cyberattacks. Most of such malware-infected hosts are end-user devices such as PCs, mobile devices and Internet of Things (IoT) devices. In Internet protocol (IP), the IP addresses of most end users are dynamic IP addresses that are allocated by Internet service providers (ISPs). Some countermeasures against cyberattacks use IP addresses as unique indicators of infected hosts. However, due to certain configurations and policies of the particular ISP, the same dynamic IP address is not always reallocated to the same host. Therefore, the accurate detection of dynamic IP address blocks is necessary to take appropriate countermeasures against cyberattacks. Furthermore, attacks from hosts on a cloud block have been observed. A cloud block is defined as an IP address block used in cloud services. Cloud service administrators can take countermeasures against these attacks, such as restricting suspicious traffic and disabling the accounts of suspicious users. Thus, to implement such appropriate countermeasures, the detection of cloud blocks is also important. Using conventional methods, dynamic IP address blocks can be detected by matching a PTR record of the target IP address with predefined keywords that indicate dynamic allocation. However, these keywords do not always match the PTR records of dynamic IP addresses. On the contrary, they can also falsely match non-dynamic IP addresses. In this study, we propose a new method for detecting dynamic IP address blocks more accurately and with a greater coverage rate than conventional methods. Our method focuses on a unique feature of dynamic IP addresses, namely that the PTR records of dynamic IP address blocks are sequentially configured by network administrators. In cloud block detection, our method uses a unique feature of cloud blocks, namely that the users of a cloud service can manually configure the PTR records of the hosts on the cloud blocks. The performance of our method was validated through evaluation using real and manually labeled data. We found that many hosts with the dynamic IP addresses detected by our method send malicious traffic through validation using real traffic data collected in a large-scale darknet.