research-article

Quantifying the Impact of Blocklisting in the Age of Address Reuse

Authors:

Sivaramakrishnan Ramanathan,

Anushah Hossain,

Jelena Mirkovic,

Sadia AfrozAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 360 - 369

https://doi.org/10.1145/3419394.3423657

Published: 27 October 2020 Publication History

Abstract

Blocklists, consisting of known malicious IP addresses, can be used as a simple method to block malicious traffic. However, blocklists can potentially lead to unjust blocking of legitimate users due to IP address reuse, where more users could be blocked than intended. IP addresses can be reused either at the same time (Network Address Translation) or over time (dynamic addressing). We propose two new techniques to identify reused addresses. We built a crawler using the BitTorrent Distributed Hash Table to detect NATed addresses and use the RIPE Atlas measurement logs to detect dynamically allocated address spaces. We then analyze 151 publicly available IPv4 blocklists to show the implications of reused addresses and find that 53-60% of blocklists contain reused addresses having about 30.6K-45.1K listings of reused addresses. We also find that reused addresses can potentially affect as many as 78 legitimate users for as many as 44 days.

Supplementary Material

MP4 File (imc2020-407-long.mp4)

These videos describe the techniques used in the paper to detect reused addresses. The video also covers the analysis of reused addresses in blocklists.

Download
327.43 MB

MP4 File (imc2020-407-short.mp4)

These videos describe the techniques used in the paper to detect reused addresses. The video also covers the analysis of reused addresses in blocklists.

Download
77.15 MB

References

[1]

Abuse.ch. 2020. Swiss Security Blog - Abuse.ch. https://www.abuse.ch/. (May 2020).

[2]

Alienvault. 2020. Alienvault Reputation System. https://www.alienvault.com/. (May 2020).

[3]

Antispam. 2020. ImproWare. http://antispam.imp.ch/. (May 2020). (Accessed on 05/13/2020).

[4]

Charles Arthur. 2006. Can an American judge take a British company offline? (October 2006). https://www.theguardian.com/technology/2006/oct/19/guardianweeklytechnologysection3

[5]

BadIPs. 2020. badips.com | an IP based abuse tracker. https://www.badips.com/. (May 2020).

[6]

Bambenek. 2020. Bambenek Consulting Feeds. http://osint.bambenekconsulting.com/feeds/. (May 2020).

[7]

Steven M Bellovin. 2002. A technique for counting NATted hosts. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment. ACM, 267--272.

Digital Library

[8]

Robert Beverly. 2004. A robust classifier for passive TCP/IP fingerprinting. In International Workshop on Passive and Active Network Measurement. Springer, 158--167.

[9]

Blocklist.de. 2020. Blocklist.de fail2ban reporting service. https://www.blocklist.de/en/index.html. (May 2020).

[10]

Botscout. 2020. We catch bots so that you don't have to. https://www.botscout.com. (May 2020).

[11]

Botvrij. 2020. botvrij.eu - powered by MISP. http://www.botvrij.eu/. (May 2020).

[12]

Malware Bytes. 2020. hpHosts - by Malware Bytes. https://hosts-file.net/. (May 2020).

[13]

Xue Cai and John Heidemann. 2010. Understanding block-level address usage in the visible internet. In Proceedings of the ACM SIGCOMM 2010 conference.99--110.

Digital Library

[14]

Calomel. 2017. Spamd tarpit and greylisting daemon. https://calomel.org/spamd_config.html. (Jan 2017).

[15]

Martin Casado and Michael J Freedman. 2007. Peering through the shroud: The effect of edge opacity on IP-based client identification. In 4th {USENIX} Symposium on Networked Systems Design & Implementation ({NSDI} 07).

[16]

Taichung Education Center. 2020. Taichung Education Center. https://www.tc.edu.tw/net/netflow/lkout/recent/30. (May 2020).

[17]

CIArmy. 2020. CINSscore. http://ciarmy.com/. (May 2020).

[18]

Cisco. 2020. Cisco Talos - Additional Resources. http://www.talosintelligence.com/. (May 2020).

[19]

Kimberly Claffy, Young Hyun, Ken Keys, Marina Fomenkov, and Dmitri Krioukov. 2009. Internet mapping: from art to science. In 2009 Cybersecurity Applications & Technology Conference for Homeland Security. IEEE, 205--211.

Digital Library

[20]

Cleantalk. 2020. Cloud spam protection for forums, boards, blogs and sites. https://www.cleantalk.org. (May 2020).

[21]

Cloudflare. 2020. Understanding Cloudflare Challenge Passage (Captcha). https://support.cloudflare.com/hc/en-us/articles/200170136. (Feb R@2020).

[22]

GPF Comics. 2020. The GPF DNS Block List. https://www.gpf-comics.com/dnsbl/. (May 2020).

[23]

Cloudflare Community. 2018. Getting Cloudflare capcha on almost every website I visit for my home network. Help! https://community.cloudflare.com/t/getting-cloudflare-capcha-on-almost-every-website-i-visit-for-my-home-network-help/42534. (Nov 2018).

[24]

Cloudflare Community. 2019. Blocked IP address: Sharing IPs. https://community.cloudflare.com/t/cloudflare-blocking-my-ip/65453/57. (Mar 2019).

[25]

Cloudflare Community. 2019. Community Tip - Best Practices For Captcha Challenges. https://community.cloudflare.com/t/community-tip-best-practices-for-captcha-challenges/56301. (Jan 2019).

[26]

CruzIt. 2020. Server Blocklist / Blacklist - CruzIT.com - PHP, Linux & DNS Tools, Apache, MySQL, Postfix, Web & Email Spam Prevention Information. http://www.cruzit.com/wbl.php. (May 2020).

[27]

Cybercrime. 2020. CyberCrime Tracker. http://cybercrime-tracker.net/. (May 2020).

[28]

Alberto Dainotti, Karyn Benson, Alistair King, KC Claffy, Michael Kallitsis, Eduard Glatz, and Xenofontas Dimitropoulos. 2013. Estimating internet address space usage through passive measurements. ACM SIGCOMM Computer Communication Review 44, 1 (2013), 42--49.

Digital Library

[29]

Alberto Dainotti, Karyn Benson, Alistair King, Bradley Huffaker, Eduard Glatz, Xenofontas Dimitropoulos, Philipp Richter, Alessandro Finamore, and Alex C Snoeren. 2016. Lost in space: improving inference of IPv4 address space utilization. IEEE Journal on Selected Areas in Communications 34, 6 (2016), 1862--1876.

[30]

Binary Defense. 2020. Binary Defense Systems | Defend. Protect. Secure. https://www.binarydefense.com/. (May 2020).

[31]

Louis F DeKoven, Audrey Randall, Ariana Mirian, Gautam Akiwate, Ansel Blume, Lawrence K Saul, Aaron Schulman, Geoffrey M Voelker, and Stefan Savage. 2019. Measuring Security Practices and How They Impact Security. In Proceedings of the Internet Measurement Conference.36--49.

Digital Library

[32]

DYN. 2020. Index of /pub/malware-feeds/. http://security-research.dyndns.org/pub/malware-feeds/. (May 2020).

[33]

IP finder. 2020. IP Blacklist Cloud - Protect your website. https://www.ip-finder.me/. (May 2020).

[34]

Pawel Foremski, David Plonka, and Arthur Berger. 2016. Entropy/ip: Uncovering structure in ipv6 addresses. In Proceedings of the 2016 Internet Measurement Conference.167--181.

Digital Library

[35]

Comcast Forums. 2018. Dirty (blacklisted) IPs issued to Comcast Business Account holders. https://forums.businesshelp.comcast.com/t5/Connectivity/Dirty-blacklisted-IPs-issued-to-Comcast-Business-Account-holders/td-p/34297. (Mar 2018).

[36]

Verizon Forums. 2020. IP address blocked by SORBS, Verizon will do nothing. https://forums.verizon.com/t5/Fios-Internet/IP-address-blocked-by-SORBS-Verizon-will-do-nothing/td-p/892536. (Feb 2020).

[37]

Daniel Gerzo. 2020. Daniel Gerzo BruteForceBlocker. http://danger.rulez.sk/index.php/bruteforceblocker/. (May 2020).

[38]

Greensnow. 2020. Greensnow Statistics. https://greensnow.co/. (May 2020).

[39]

Charles B.Haley. 2020. SSH Dictionary Attacks. http://charles.the-haleys.org/. (May 2020).

[40]

John Heidemann, Yuri Pradkin, Ramesh Govindan, Christos Papadopoulos, Genevieve Bartlett, and Joseph Bannister. 2008. Census and survey of the visible internet. In Proceedings of the 8th ACM SIGCOMM conference on Internet measurement.169--182.

Digital Library

[41]

Project Honeypot. 2020. Project Honeypot. https://www.projecthoneypot.org/. (May 2020).

[42]

IBM. 2020. IBM X-Force Exchange. https://exchange.xforce.ibmcloud.com/. (May 2020).

[43]

SANS Institute. 2019. Internet Storm Center. https://dshield.org/about.html. (Sept 2019).

[44]

My IP. 2020. My IP - Blacklist Checks. https://www.myip.ms/info/about. (May 2020).

[45]

Christian Kreibich, Nicholas Weaver, Boris Nechaev, and Vern Paxson. 2010. Netalyzr: illuminating the edge network. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM, 246--259.

Digital Library

[46]

M Kucherawy and D Crocker. 2012. Email greylisting: An applicability statement for smtp. Technical Report. RFC 6647, June.

[47]

Snort Labs. 2020. Sourcefire VRT Labs. https://labs.snort.org/. (May 2020).

[48]

Malware Domain List. 2020. Malware Domain List. http://www.malwaredomainlist.com/. (May 2020).

[49]

I. Livadariu, K. Benson, A. Elmokashfi, A. Dainotti, and A. Dhamdhere. 2018. Inferring Carrier-Grade NAT Deployment in the Wild. In IEEE Conference on Computer Communications (INFOCOM).

[50]

Malc0de. 2020. Malc0de Database. http://malc0de.com/database/. (May 2020).

[51]

Ahmed Metwally and Matt Paduano. 2011. Estimating the number of users behind ip addresses for combating abusive traffic. In Proceedings of the 17th ACM SIGKDD international conference on Knowledge discovery and data mining.249--257.

Digital Library

[52]

Andreas Müller, Florian Wohlfart, and Georg Carle. 2013. Analysis and topology-based traversal of cascaded large scale NATs. In Proceedings of the 2013 workshop on Hot topics in middleboxes and network function virtualization. ACM, 43--48.

Digital Library

[53]

Blocklist NET. 2020. BlockList.net.ua. https://blocklist.net.ua/. (May 2020).

[54]

Normshield. 2020. Normshield - Cyber Risk Scorecard. https://www.normshield.com/. (May 2020).

[55]

NoThink. 2020. NoThink Individual Blacklist Maintainer. http://www.nothink.org/. (May 2020).

[56]

Nullsecure. 2020. nullsecure. https://nullsecure.org/. (May 2020).

[57]

Heise Online. 2020. Nixspam Blacklist. https://goo.gl/jsyksA. (May 2020).

[58]

R. Padmanabhan, A. Dhamdhere, E. Aben, k. claffy, and N. Spring. 2016. Reasons Dynamic Addresses Change. In Internet Measurement Conference (IMC).

[59]

Spectrum Partners. 2020. Spectrum Static IP. https://partners.spectrum.com/content/spectrum/business/en/internet/staticip.html. (May 2020).

[60]

Sivaramakrishnan Ramanathan, Jelena Mirkovic, and Minlan Yu. 2020. BLAG: Improving the Accuracy of Blacklists. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020 (NDSS '20). The Internet Society. https://doi.org/10.14722/ndss.2020.24232

[61]

Philipp Richter, Georgios Smaragdakis, David Plonka, and Arthur Berger. 2016. Beyond Counting: New Perspectives on the Active IPv4 Address Space. In Proceedings of ACM IMC 2016. Santa Monica, CA.

Digital Library

[62]

Philipp Richter, Florian Wohlfart, Narseo Vallina-Rodriguez, Mark Allman, Randy Bush, Anja Feldmann, Christian Kreibich, Nicholas Weaver, and Vern Paxson. 2016. A Multi-perspective Analysis of Carrier-Grade NAT Deployment. In Proceedings of ACM IMC 2016. Santa Monica, CA.

Digital Library

[63]

Ville Satopaa, Jeannie Albrecht, David Irwin, and Barath Raghavan. 2011. Finding a" kneedle" in a haystack: Detecting knee points in system behavior. In 2011 31st international conference on distributed computing systems workshops. IEEE, 166--171.

Digital Library

[64]

Sblam. 2020. Sblam! http://sblam.com/. (May 2020).

[65]

Stop Forum Spam. 2020. Stop Forum Spam. https://stopforumspam.com/. (May 2020).

[66]

ARS Technica. 2020. ATT raises prices 7% by making its customers pay ATT's property taxes. https://arstechnica.com/tech-policy/2019/10/att-raises-prices-7-by-making-its-customers-pay-atts-property-taxes/. (Oct 2020).

[67]

Threatcrowd. 2020. Threat Crowd - Open Source Threat Intelligence. https://threatcrowd.org/. (May 2020).

[68]

Emerging Threats. 2020. Emerging Threats Rules. https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt. (May 2020).

[69]

Kazuhiro Tobe, Akihiro Shimoda, and Shegeki Goto. 2010. Extended UDP Multiple Hole Punching Method to Traverse Large Scale NATs. Proceedings of the Asia-Pacific Advanced Network 30 (2010), 30--36.

[70]

Turris. 2020. Greylist:: Project:Turris. https://www.turris.cz/en/greylist. (May 2020).

[71]

URLVir. 2020. URLVir: Monitor Malicious Executable Urls. http://www.urlvir.com/. (May 2020). (Accessed on 05/13/2020).

[72]

VX Vault. 2020. VX Vault ViriList. http://vxvault.net/ViriList.php. (May 2020).

[73]

Zhaoguang Wang, Zhiyun Qian, Qiang Xu, Zhuoqing Mao, and Ming Zhang. 2011. An untold story of middleboxes in cellular networks. In ACM SIGCOMM Computer Communication Review, Vol. 41. ACM, 374--385.

Digital Library

[74]

Apache Wiki. 2019. Other Trick For Blocking Spam. https://cwiki.apache.org/confluence/display/SPAMASSASSIN/OtherTricks#OtherTricks-Greylisting. (Jul 2019).

[75]

Wikipedia. 2019. Internet network operators' group --- Wikipedia, The Free Encyclopedia. (June 2019). https://en.wikipedia.org/w/index.php?title=Internet_network_operators%27_group&oldid=906511356

[76]

Chris Wilcox, Christos Papadopoulos, and John Heidemann. 2010. Correlating spam activity with ip address characteristics. In 2010 INFOCOM IEEE Conference on Computer Communications Workshops. IEEE, 1--6.

[77]

Xfinity. 2020. Business Class Internet at Home. https://www.xfinity.com/hub/business/internet-for-home-business. (May 2020).

[78]

Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, and Ted Wobber. 2007. How dynamic are IP addresses?. In ACM SIGCOMM Computer Communication Review, Vol. 37. ACM, 301--312.

Digital Library

[79]

ZeroDot1. 2020. CoinBlockerLists. https://gitlab.com/ZeroDot1/CoinBlockerLists. (May 2020).

Cited By

Mazri AMehdi M(2024)Unraveling Decentralized Data Storage: A Comparative Analysis of IPFS and BitTorrent Networks2024 2nd International Conference on Electrical Engineering and Automatic Control (ICEEAC)10.1109/ICEEAC61226.2024.10576564(1-6)Online publication date: 12-May-2024
https://doi.org/10.1109/ICEEAC61226.2024.10576564
Rani PSingh SSingh K(2024)Cloud computing security: a taxonomy, threat detection and mitigation techniquesInternational Journal of Computers and Applications10.1080/1206212X.2024.2319937(1-14)Online publication date: 26-Feb-2024
https://doi.org/10.1080/1206212X.2024.2319937
Luxemburk JHynek KČejka T(2023)Encrypted traffic classification: the QUIC case2023 7th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA58422.2023.10199052(1-10)Online publication date: 26-Jun-2023
https://doi.org/10.23919/TMA58422.2023.10199052
Show More Cited By

Index Terms

Quantifying the Impact of Blocklisting in the Age of Address Reuse
1. Networks
  1. Network performance evaluation
    1. Network measurement
2. Security and privacy
  1. Network security

Recommendations

The Ecosystem of Detection and Blocklisting of Domain Generation

Malware authors use domain generation algorithms to establish more reliable communication methods that can avoid reactive defender blocklisting techniques. Network defense has sought to supplement blocklists with methods for detecting machine-generated ...
Extending the IP internet through address reuse

The two most compelling problems facing the IP Internet are IP address depletion and scaling in routing. This paper discusses the characteristics of one of the proposed solutions---address reuse. The solution is to place Network Address Translators (Nat)...
Blocklist-Forecast: Proactive Domain Blocklisting by Identifying Malicious Hosting Infrastructure
RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses

Domain blocklists play an important role in blocking malicious domains reaching users. However, existing blocklists are reactive in nature and slow to react to attacks, by which time the damage is already caused. This is mainly due to the fact that ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '20: Proceedings of the ACM Internet Measurement Conference

October 2020

751 pages

ISBN:9781450381383

DOI:10.1145/3419394

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

U.S. Department of Homeland Security
National Science Foundation

Conference

IMC '20

Sponsor:

IMC '20: ACM Internet Measurement Conference

October 27 - 29, 2020

Virtual Event, USA

Acceptance Rates

IMC '20 Paper Acceptance Rate 53 of 216 submissions, 25%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
295
Total Downloads

Downloads (Last 12 months)40
Downloads (Last 6 weeks)5

Reflects downloads up to 06 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mazri AMehdi M(2024)Unraveling Decentralized Data Storage: A Comparative Analysis of IPFS and BitTorrent Networks2024 2nd International Conference on Electrical Engineering and Automatic Control (ICEEAC)10.1109/ICEEAC61226.2024.10576564(1-6)Online publication date: 12-May-2024
https://doi.org/10.1109/ICEEAC61226.2024.10576564
Rani PSingh SSingh K(2024)Cloud computing security: a taxonomy, threat detection and mitigation techniquesInternational Journal of Computers and Applications10.1080/1206212X.2024.2319937(1-14)Online publication date: 26-Feb-2024
https://doi.org/10.1080/1206212X.2024.2319937
Luxemburk JHynek KČejka T(2023)Encrypted traffic classification: the QUIC case2023 7th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA58422.2023.10199052(1-10)Online publication date: 26-Jun-2023
https://doi.org/10.23919/TMA58422.2023.10199052
Zheng DTong KLim MChan WGoh W(2023)AfterImage: Evading Traditional Indicator of Compromise (IOC) Blocking2023 IEEE International Conference on Service Operations and Logistics, and Informatics (SOLI)10.1109/SOLI60636.2023.10425081(1-6)Online publication date: 11-Dec-2023
https://doi.org/10.1109/SOLI60636.2023.10425081
Maghsoudlou AGasser OPoese IFeldmann ABianchi GMei A(2022)FlowDNSProceedings of the 18th International Conference on emerging Networking EXperiments and Technologies10.1145/3555050.3569135(187-195)Online publication date: 30-Nov-2022
https://dl.acm.org/doi/10.1145/3555050.3569135
Moriot CLesueur FStouls NValois F(2022)How to build socio-organizational information from remote IP addresses to enrich security analysis?2022 IEEE 47th Conference on Local Computer Networks (LCN)10.1109/LCN53696.2022.9843570(287-290)Online publication date: 26-Sep-2022
https://doi.org/10.1109/LCN53696.2022.9843570
Daniel ETschorsch F(2022)IPFS and Friends: A Qualitative Comparison of Next Generation Peer-to-Peer Data NetworksIEEE Communications Surveys & Tutorials10.1109/COMST.2022.314314724:1(31-52)Online publication date: Sep-2023
https://doi.org/10.1109/COMST.2022.3143147
Jiang WLuo TKoch TZhang YKatz-Bassett ECalder MLevin DMislove AAmann JLuckie M(2021)Towards identifying networks with internet clients using public dataProceedings of the 21st ACM Internet Measurement Conference10.1145/3487552.3487844(753-762)Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1145/3487552.3487844
Xiong JWei MLu ZLiu YKim YKim JVigna GShi E(2021)Warmonger: Inflicting Denial-of-Service via Serverless Functions in the CloudProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3485372(955-969)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3485372
Feal AVallina PGamba JPastrana SNappa AHohlfeld OVallina-Rodriguez NTapiador J(2021)Blocklist Babel: On the Transparency and Dynamics of Open Source BlocklistingIEEE Transactions on Network and Service Management10.1109/TNSM.2021.307555218:2(1334-1349)Online publication date: Jun-2021
https://doi.org/10.1109/TNSM.2021.3075552

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents