Home / Blogs

How Frequently Do Botnets Reuse IP Addresses?

Terry Zink

I wonder how much botnets reuse IP addresses. Do they infect a system and spam, get blocked, discard the IP and move onto the next (new) one? This means that they have a nearly unlimited supply of IP addresses. Or do they infect a system and spam, get blocked, and then let it go dormant only to awaken it some time later?

I decided to take a look. To do this, I made a list of all the IPs that sent us mail that I could identify as part of a botnet (excluding unknown ones) since July 2011, a time span of 7.5 months. I then took all of the IPs that sent us mail today (or rather, the past 24 hours), and ran them against this list. The IPs that were on the botnet list were eventually blocked as spam. If IPs that sent us mail today appear on this list of botnet IPs, that means that botnets do reuse their IPs.

The question is what is the average time displacement of time-to-block vs time-to-resurrect, and do some bots do it more than others? Here are the results:

Top 10 Botnets that Reuse IP addresses

  1. cutwail [14.5]
  2. darkmailer [7.3]
  3. maazben [4.0]
  4. asprox [3.2]
  5. sendsafe [2.4]
  6. lethic [2.3]
  7. grum [1.7]
  8. fivetoone [1.2]
  9. festi [1.0]
  10. spamsalot [1.0]

The numbers in square brackets are relative values compared to the lowest one. This means that if spamsalot reused 20 distinct IP addresses, then cutwail reused 14.5 x 20 = 290 distinct IPs. Or, to put it another way, an IP that sent us mail today was also used by cutwail once in the past 7.5 months. By contrast, 14.5 IPs that sent us mail today were used cutwail in the past 7.5 months.

In other words, cutwail reuses its IPs much more than any other botnet.

Digging deeper, and explaining it better because the above paragraph makes no sense, I took a look at where the biggest amount of reuse occurred. Of all the IPs that sent us mail today, that at one time sent mail for cutwail, 28% of them were on Oct 27. The next largest value, Dec 17, only comprises 3%. Thus, for cutwail, there is a lag of around 3.5 months before it tries to reuse the same IPs. Asprox shows a similar reuse pattern for Oct 27.

Thus, while botnets do reuse IPs to send spam after they have been blocked, they don't do it a lot. Of the ones that do resend, they don't use very many of them again.

Clearly, spammers know when they have been blocked and keep bringing up new troops.

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, Malware, Spam

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

Interesting analysis John Levine  –  Feb 13, 2012 10:02 AM PDT

Did you look and see whether listings on botnet BLs, notably the CBL, affect botnet reuse? I've always assumed that botnets look and see where they're blocked, so they can sell "fresh" bots for more money, but never had enough data to check.

CBL Terry Zink  –  Feb 13, 2012 10:23 AM PDT

My data mapping of IPs does come from the CBL.

I haven't managed to do a fuller analysis yet because the CBL data is extremely large.  But that would be interesting.

We lose data of IPs once they end up on a blocklist.  One day we'll get it and I'll be able to do an analysis but my initial guess is that the patterns would be similar to the above.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum