Today’s Internet is open and anonymous. While it permits free

traffic from any host, attackers that generate malicious traffic cannot

typically be held accountable. In this paper, we present a system

called HostTracker that tracks dynamic bindings between hosts

and IP addresses by leveraging application-level data with unreliable

IDs. Using a month-long user login trace from a large email

provider, we show that HostTracker can attribute most of the activities

reliably to the responsible hosts, despite the existence of dynamic

IP addresses, proxies, and NATs. With this information, we

are able to analyze the host population, to conduct forensic analysis,

and also to blacklist malicious hosts dynamically.

PDF file

In: ACM SIGCOMM

Details