Identifying Dynamic IP Address Blocks Serendipitously Through Background Scanning Traffic

Today's Internet contains a large portion of "Dynamic" IP addresses, which are assigned to clients upon request. A significant amount of malicious activities have been reported from dynamic IP space, such as spamming, botnets, etc. Accurate identification of dynamic IP addresses will help them build blacklists of suspicious hosts with more confidence, and help track the sources of different types of anomalous activities. This paper contrast traffic activity patterns between static and dynamic IP addresses in a large campus network, as well as their activity patterns when countering outside scanning traffic.