Quantifying autonomous system IP churn using attack traffic of botnets

Abstract

To connect to the Internet, hosts are assigned an IP address by their network provider by which they exchange data. As such, IP addresses are frequently used as a proxy metric to count the number of hosts on a network, or to quantify particular phenomena such as the size of botnets or the infection statistics of malware. Although a single host is typically linked to a single IP address at a given moment, this relationship is frequently not stable over time due to IP churn. As network operators dynamically assign IP addresses to clients for a specific lease duration, after expiry of this lease a host obtains a new IP address, thereby leading to overestimations of active host counts or malware infections. In this paper, we present a novel method to detect and quantify IP churn in autonomous systems on the Internet by exploiting a weakness in the packet generation algorithm and random number generation of the Mirai IoT malware. These design shortcomings allow us to re-identify the same IoT infection when the host resurfaces on the Internet with a different IP address with very high confidence, and thereby characterize how IP addresses in provider netblocks churn over time. As Mirai is widespread with hundreds of thousands of infected devices worldwide and uses the faulty RNG output to actively scan the Internet, our methods enables worldwide measurements of IP churn to be done efficiently and completely passively.