The emergence of the Internet, a network of distributed computers and computerized devices, has made a significant contribution towards the advancement of modern society, resulting in a profound impact to nearly every aspect of modern living. The unprecedented speed, versatility and capacity available through which information can be communicated and disseminated over the Internet have revolutionized the business and practice of numerous industries, and enabled the rise of entirely new fields of commerce.
Unfortunately, these very features available through the Internet have also supplied the impetus for the development of new breeds of malicious and/or immoral behavior and crimes, and enabled the criminals responsible for them. These criminals are becoming increasingly sophisticated at using the Internet infrastructure to attack web services, and are able to damage other users of the Internet through malicious activity, such as Denials of Service (“DoS”), spamming, transmitting malware (e.g., spyware, adware, trojan horses, worms), or defrauding users with phishing scams. Of particular concern is the growing use of “botnets,” which greatly increase the capacity for illicit behavior.
A botnet is a term generally used to refer to a collection of compromised computers (called “zombie computers”) which serve as hosts to running malicious software (“malware”), under a common command and control infrastructure. Generally, a botnet proliferates over a network autonomously and automatically, and the botnet's originator can control the group remotely, typically for nefarious purposes. The future looks even bleaker with the recent advent of Storm Worm, a trojan horse that tirelessly infects new computers, effectively building a huge collection under the control of a single group. The resulting botnet can be used to bring down any network of its choosing. These days, bot controllers are in a very powerful position and it is imperative that measures are taken to stop them.
Amassing IP intelligence is essential to current security applications, as it is estimated that between 10-100 million computers connected to the Internet are infected and part of botnets. One key method for combating botnets (and any malicious activity) is to identify Internet Protocol (“IP”) addresses or machines that are owned by or under the influence of these criminals and proactively prevent them from causing damage. Unfortunately, the Internet is extremely dynamic, and thus, sophisticated criminals are able to work around these protective measures. In fact, this dynamicity is constantly exploited by botnets which constantly relocate within an IP address space without actually migrating to another computer.
One of the most difficult features to address is the fact that many bots reside on computers with dynamic IP addresses, which allow bots to escape many mitigations based on IP addresses as the bots will use IP addresses which can change every few days (or even more frequently). For example, a home computer can be connected to the Internet through an internet service provider (“ISP”) with a dynamic IP address. Every time a user re-connects, the user may be given a new IP address from among a predetermined (generally large) pool of available IP addresses, which may even come from a completely different subnet. Malicious activity can be tracked to a specific IP address, and certain curative and preventative measures can be taken to address that IP address. However, such mitigations can also have unintended consequences to innocent Internet users, especially when measures are taken against an IP after the bot has managed to change its IP address (i.e., through subsequent reconnections).