Uncovering IP Address Hosting Types Behind Malicious Websites
This work addresses the challenge for cybersecurity professionals in blocking malicious domains more effectively by distinguishing IP hosting types, but it appears incremental as it builds on existing knowledge of malicious hosting practices.
The paper tackles the problem of identifying whether IP addresses hosting malicious domains are dedicated or shared, enabling targeted blacklisting or provider cleanup to combat malicious websites. It provides a method to classify IP hosting types, though no concrete numbers on performance or impact are given in the abstract.
Hundreds of thousands of malicious domains are created everyday. These malicious domains are hosted on a wide variety of network infrastructures. Traditionally, attackers utilize bullet proof hosting services (e.g. MaxiDed, Cyber Bunker) to take advantage of relatively lenient policies on what content they can host. However, these IP ranges are increasingly being blocked or the services are taken down by law enforcement. Hence, attackers are moving towards utilizing IPs from regular hosting providers while staying under the radar of these hosting providers. There are several practical advantages of accurately knowing the type of IP used to host malicious domains. If the IP is a dedicated IP (i.e. it is leased to a single entity), one may blacklist the IP to block domains hosted on those IPs as welll as use as a way to identify other malicious domains hosted the same IP. If the IP is a shared hosting IP, hosting providers may take measures to clean up such domains and maintain a high reputation for their users.