Dynamic IP Addresses

• For each /24, count:

  • total number of unique IP addresses seen ever
  • maximum number seen in 2 hour periods

• On plot:

  • x-axis is total number of unique addresses seen ever
  • y-axis is maximum number for a 2 hour period
  • the x = y (total = max) line shows /24s that had all their vulnerable hosts actively spreading in same 2 hour period, and those hosts didn’t change IP addresses
  • the space far below and to the right of the x = y line (total >> max) shows /24s that appear to have a lot of dynamic addresses
  • color of points represents density (3d histogram)

Previous slide

Next slide

Back to first slide

View graphic version