We look into why dynamic addresses change and find ISPs that renumber periodically, most commonly every 24 hours or a multiple of 24 hours. We also find that outages influence address changes.
Both industry and academia often use the simplifying assumption that an IP address can uniquely identify an end-host. For example, Wikipedia defends itself from disruption by malicious users by blacklisting IP addresses and researchers have used IP addresses to count the number of users in peer-to-peer systems and infected machines in botnets. We seek to verify this assumption that even dynamic addresses are reasonably static over the time scales of these measurements or malicious behaviours.
The duration for which a dynamic IP address continues to be assigned to the same customer premises equipment (CPE) device depends upon various causes that can induce the assigned IP address to change. Our approach in this study is to identify the causes and analyse their effect in ISPs around the world using data gathered from thousands of RIPE Atlas probes. In this post, we outline the most important results and show how they would affect an example application—IP address based blacklists.
Only RIPE Atlas has address changes and context
We chose to use RIPE Atlas for this study since it includes measurements that allow us to determine when an IP address change occurred and what the addresses were before and after the change. In addition, it includes many measurements that provide context about what was happening around the time of the address change. We were able to use these measurements to detect when RIPE Atlas probes rebooted and were not sending pings (indicating a power outage) and when their pings were not getting responses (indicating a network outage). In our study of active RIPE Atlas probes in 2015, we found 3,038 RIPE Atlas probes with address changes hosted across 929 ISPs and 156 countries.
Some ISPs change addresses periodically
Prior research reported that a major European DSL provider changed customer's addresses every 24 hours in one suburban area and anecdotal evidence suggests that such periodic renumbering is more common. We investigated the prevalence of periodic address changes in the RIPE Atlas dataset by analysing ISPs' assigned address durations. To find if an ISP intentionally renumbers after specific durations consistently, we look for modes in the cumulative distribution of address durations. However, short address durations would be overrepresented in a Cumulative Distribution Function (CDF) of unweighted address durations; thus, we weight each duration by the duration itself and plot the CDF of the weighted address durations. Here is the CDF for the five largest ISPs with address changes in the dataset:
Periodic behaviour varies widely across ISPs: Orange, an ISP from France, appears to change addresses after a duration of 168 hours (1 week) and Deutsche Telekom (DTAG) from Germany reassigns addresses after 24 hours, whereas Liberty Global (LGI) and Verizon do not appear to periodically renumber. In total, we found 20 ISPs around the world that periodically reassign addresses after a fixed period, typically a multiple of 24 hours. These ISPs are concentrated in central Europe, with many (but not all) ISPs in Germany renumbering after 24 hours. We also found some ISPs that renumber periodically in Russia, Kazakhstan, Mauritius, and South America. On the other hand, we did not find any ISPs that renumber consistently in North America in the RIPE Atlas dataset; further, North American ISPs typically tended to assign addresses for much longer durations as well. This suggests that IP addresses can be used as end-host identifiers in North America for several weeks. For ISPs that change addresses periodically, we can estimate with high probability the maximum duration they are likely to assign an address to a CPE. IP address based blacklists can use these results to prune addresses from blacklists after a certain duration has elapsed, based upon the ISP to which the address belongs.
Outages can lead to address changes
Now that we can estimate the maximum duration ISPs are likely to assign an address to a CPE, we were next interested in whether we can also estimate the minimum duration. Estimating the minimum duration can let us know how long a blacklist will be effective. In particular, we were interested in whether end-users can control when a new address is assigned to them: if they can, then the minimum duration is effectively zero because a malicious user can simply switch to a different address on demand.
End-users can exert control upon outages occurring at the CPE by switching off their device. We wondered if outages can influence address changes, and also how the duration of the outage affects the likelihood of an address change. We found some correlation between outages and address changes in most ISPs. However, for some ISPs, the duration of the outage matters: the longer the outage, the higher the likelihood of an address change. On the other hand, for some ISPs, almost every outage results in an address change. We show one example of each below:
The graphs show the likelihood of an address change (renumbering) given network or power outages of different durations in LGI (left) and Orange (right). Although relatively few outages lasted longer than a day, the majority of these coincided with an address change in both ISPs. However, Orange changed addresses even on the shortest outages. A blacklisted end-user from Orange can simply reboot their device to evade the blacklist!
Addresses often change across prefixes
Considering that users can sometimes evade blacklists easily, we investigated whether blacklisting the entire prefix would be more effective. When a new address is assigned, if it is from the same prefix as the previous one, then prefix-level blacklists can still prevent access to the blacklisted user. We found that most ISPs tend to assign around half of their new addresses from a different BGP prefix and even a different /16 prefix. In fact, a third of all the observed address changes were across different /8 prefixes! Thus, even blacklisting the entire /8 prefix of an address can fail a third of the time when an end-user's dynamic address changes.
Corroboration and conclusions
These results surprised us since our initial expectations had been based upon the assumption that dynamic addresses are typically assigned using DHCP. DHCP assigns addresses to CPE devices for a lease duration and CPEs typically have the option of renewing their leases before they expire, allowing CPEs to keep their previously assigned address. Both periodic renumbering, as well as renumbering upon outages shorter than the lease duration, should be uncommon for addresses assigned using DHCP.
We reached out to operators to confirm our inferences. We heard back from a large European ISP who not only corroborated our inferences, but also offered additional explanation for some of our results. The ISP we contacted did not use DHCP for dynamic address assignment; instead, they employ PPPoE to connect their DSL lines and use Radius for configuring addresses. This ISP changes IP addresses after 24 hours as a privacy feature and does not keep track of previously assigned addresses, so that any disconnect event is highly likely to result in an address change.
Address reassignment was substantially more complex than we expected, with periodic address reassignment of even connected, functioning equipment being a common practice. The technical goal of efficient address assignment appears dominated by non-technical goals of ISP policy, e.g., privacy or preventing server operation. In particular, we believe that the address durations we measured should not be confused with DHCP lease durations. Standard DHCP behaviour, attempting to preserve the addresses for as long as the DHCP client is active or the server can remember, may be a good model for the majority of dynamically assigned addresses, but it is not a good model for the addresses that are the most dynamic.
We would like to express our sincere appreciation to the RIPE Atlas team for their efforts in deploying and maintaining thousands of probes over the world. The diversity of measurements from their probes along with their ease of access was invaluable to this work. This research was supported by NSF grants CNS-1526635 and CNS-1528148. The full paper is available here.