Dynamic IP Identification ?

To the best of our knowledge, we are the first to develop a framework to automatically detect dynamic IP addresses on a global scale and simultaneously understand the associated IP volatility. In all prior work, enumerations of dynamic IP addresses have been maintained by hand . Some dynamic IP addresses can be deduced by examining the Reverse DNS (rDNS) and Whois databases.

A rDNS record maps an IP address into a host name, providing a way to infer its address properties. For example, the rDNS record for 157.57.215.19  corresponds to the DNS name adsl-dc-305f5.adsl.wanadoo.nl, indicating that the IP address is used for an Asymmetric Digital Subscriber Line (adsl) in the Netherlands (nl). Despite the existence of DNS naming conventions and recent proposals on standardizing DNS name assignment schemes, not all domains follow the naming rules. In fact, many IP addresses do not have rDNS records: it is reported that only 50 to 60% of IP addresses have associated rDNS records Certain enterprises maintain Dialup User Lists (DULs) of suspected dynamic IP addresses, largely to support efforts to aid in spam filtering.

Dynablock provides the most well known and widely used DUL. It not only contains dialup IPs, but also other dynamic IPs such as DSL and cable user IP ranges. As of January 2007, the list contains over 192 million dynamic IP addresses. Manually maintaining such a large list requires enormous effort and resources. Moreover, updating dynamic IP addresses relies on the reporting of system administrators. With Internet topology and IP address assignments changing rapidly, Dynablock can be expected to contain increasingly obsolete information and miss newly configured dynamic IPs. In Section 5.3, we show that our automatic method identifies over 50 million dynamic IP addresses that are not covered by Dynablock. While there are no existing approaches that automatically identify dynamic IP addresses, there has been significant amount of prior work on finding the topological and geographical properties associated with an IP address. Krishnamurthy et al. have proposed to clusterWeb clients that are topologically close together using BGP routing table prefix information. Padmanabhan et al. Have proposed several methods to obtain geographic locations of IP prefixes. Freedman et al. further extended to provide even more fine grained geographic location information. Recently, Casado and Freedman proposed to identify NAT and proxies by passively collecting client information using activeWeb content such as Javascript. Our technique is complementary to these efforts by focusing on the dynamic nature of IP addresses, and it does not require actively probing client machines.