The Internet, a network of distributed computers and computerized devices, is designed to be open and anonymous. By obtaining an IP (Internet Protocol) address, a host can easily connect to the Internet and freely talk to other hosts without exposing its real identity. This open and anonymous architecture, which enabled the Internet to expand quickly, is also a source of security concerns. Attackers can easily hide their real identities behind IP addresses.
Dynamic IP address assignment poses challenges to the commonly used IP-based approach to detect, blacklist, and block malicious traffic. When an attacker changes its IP address, legitimate activities that subsequently use the old IP address will be misclassified as bad, while malicious activities from the new IP address will slip through. The numerous NAT (network address translation) devices and HTTP (Hypertext Transfer Protocol) proxies also imply that blacklisting can result in denial of service to many legitimate clients that share IP addresses with attackers.
A botnet is a term generally used to refer to a collection of compromised computers (called “zombie computers” or “bots”) which serve as hosts to running malicious software (“malware”), under a common command and control infrastructure. Generally, a botnet proliferates over a network autonomously and automatically, and the botnet's originator can control the group remotely, typically for nefarious purposes. The Internet is extremely dynamic, and this dynamicity is exploited by botnets which constantly relocate within an IP address space without actually migrating to another computer.
The transient nature of the attacks and the dynamics of IP address assignment make it difficult to pinpoint the exact compromised host entities as their IP addresses change. Security rests on host accountability, which is the ability to identify the hosts responsible for traffic, which is typically the basis for punishing misbehavior. It is commonly believed that today's Internet architecture provides no host accountability and that architectural changes are necessary in order to support it.
Host accountability in the Internet has long been a topic of substantial interest. A large body of previous work has focused on providing source accountability to identify the true network origin of traffic. In this area, a few early efforts have proposed solutions to detect stepping stone attacks by packet timing analysis and content analysis. Source address spoofing is also commonly leveraged to hide attacker identities, especially in DoS (denial of service) attacks. Ingress and egress filtering, which have been partially deployed, can prevent source-address spoofing. Other proposed approaches also require changes to the existing routers or the routing infrastructure. Among them, IP-traceback techniques were proposed to determine the source(s) of packets received by storing additional states at routers or marking packets along their paths.
In order to prevent unwanted traffic from a compromised host, blacklists representing hosts by IP address have been widely used in practice. Recent studies have shown a significant fraction of the Internet IP address space is dynamic and that the number of proxies and NATs is non-trivial. It is difficult to effectively apply blacklists In the presence of dynamic IP addresses, proxies, and NATs.