[dns-operations] "How Dynamic are IP Addresses?" (SIGCOMM, January 2007)

Paul Vixie paul at vix.com
Fri Aug 31 00:19:12 UTC 2007

(thanks to bmanning for sharing this)


Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt (MSR),
Ted Wobber (Microsoft) 


This paper introduces a novel algorithm, UDmap, to identify dynamically
assigned IP addresses and analyze their dynamics pattern. UDmap is fully
automatic, and relies only on applicationlevel server logs. We applied UDmap
to a month-long Hotmail user-login trace and identified a significant number
of dynamic IP addresses %Gþÿ â € “%@ more than 102 million. This suggests
that the fraction of IP addresses that are dynamic is by no means
negligible. Using this information in combination with a three-month Hotmail
email server log, we were able to establish that 95.6% of mail servers setup
on the dynamic IP addresses in our trace sent out solely spam emails.
Moreover, these mail servers sent out a large amount of spam -- amounting to
42.2% of all spam emails received by Hotmail. These results highlight the
importance of being able to accurately identify dynamic IP addresses for spam
filtering. We expect similar benefits to arise for phishing site
identification and botnet detection. To our knowledge, this is the first
successful attempt to automatically identify and understand IP address


More information about the dns-operations mailing list