One of the assumptions that I have long held about botnets is that they grab a compromised computer, spam it like crazy and then abandon it once it lands on an RBL. Eventually, this RBL delists it due to dormant activity, and later on the botnet reawakens and reacquires that IP and spams with it again. In other words, the botnet recycles (or re-uses) its IPs to spam but with sufficient time within spamming cycles that RBLs thinks that they are relatively safe to delist. After all, who wants an RBL that grows without bound?
I don’t have a good way to test this over a longer historical time frame, but I do have a shorter way to test this. Each day, I collect stats on botnets and dump all of the IPs for each botnet into a file in its own subdirectory. I planned to have the script delete the file, but I have discovered that that these files of historical spamming IPs are handy to have around. Incredibly handy, actually.
All I have is a month’s worth of data, but I figured this would be an interesting check. To test this, I went through the 14 botnets that I keep track of and counted all of the total IPs that it is sending spam from. I then did the Linux cat | sort | uniq | wc –l that prints all of the IPs, sorts them, gets the unique entries and counts them up. This gives me a Total Count, a Unique Count, and a % unique. If a botnet has 100 IPs and 98 of them are unique, then it means that the % Uniqueness is 98%. It implies that the spammer uses new originating sources of spam each day, which means that we cannot use the previous day’s spamming IPs to predict where today’s spam will come from. The results are below, the IPs are all normalized against the smallest botnet (waledac) to display the relative size of each botnet sending us spam (note that this is all post-RBL data):
You can see from this above that each botnet almost never re-uses its IPs. Only darkmailer and waledac do it with any consistency, and surprisingly enough, so does rustock. But even then, 5 out of every 6 IPs are IPs that it has not used before (in the previous one month, ie, Feb 5 – March 5).
I then decided to see whether or not there is any overlap between the botnets. Perhaps they are unique amongst themselves, but what about amongst each other? It turns out that there is 86.7% uniqueness amongst them. I would say that the number is this low only because rustock pulls down the average and accounts for so many of the IPs.
Based upon this snapshot of data, I conclude the following:
It seems to me that having the connections blocked once listed by a DNSBL effectively negates the whole report. In fact, I have data that shows IPs are re-used when sending to my spamtraps. Let me know if you would like access to some of that data.
Let's look at your data from a different angle.
Perhaps spammers did reuse spamming IPs, but only darkmailer, waledac, and rustock have comparatively effective ways to avoid being listed in RBL, so you saw them reuse some IPs. The conclusion? RBLs should build better detection for the 3 botnets mentioned above.
Am I missing something? Surely a compromised computer on a ISP IP is dynamically allocated that IP? It sends out a spam run, User shuts down PC. Next time they power up they've a different IP from their ISP.
I know of very few providers that let the end user's computer request the IP. Typically there is a CPE in place that gets the actual non-RFC1918 address and handles the NAT for the computers behind it. I doubt many turn off the CPE because they don't want to wait for it to reconnect when they turn it back on so it should still have the same IP for several days at least.
@Chih-Cherng Chin: That's another possibility, the botnets that appear to reuse spamming IPs may simply be better at avoiding getting listed or identified.
@digitalz: Sure, I'd like to take a look at your data.
We are doing similar work on botnet ip assignments and were interested to know the source of your data and analysis.