Grant Report: Measuring Internet Abuse via IP Addresses
2024 ARIN Community Grant Program Recipient Report
In 2024, the DNS Research Federation (DNSRF) received support from the ARIN Community Grant Program to investigate the role of IP addresses in malware and phishing attacks. While research on Internet abuse typically focuses on domain names, this project examined how attackers leverage number resources — a critical but often overlooked aspect of online security.
The project aimed to bridge a critical information gap by providing visibility into how number resources are exploited in cyberattacks. By developing live indicators and conducting data-driven analysis, DNSRF sought to provide network operators and incident response teams with actionable intelligence for protecting their infrastructure.
Learn more about all the 2024 ARIN Community Grant Program Recipients.
About the DNS Research Federation
The DNSRF is a nonprofit organization dedicated to advancing research and education on Internet infrastructure, with a particular focus on the Domain Name System and Internet security. It works to bridge the gap between technical research and practical implementation, providing data-driven insights that help the Internet community combat abuse and strengthen infrastructure resilience.
Project Implementation
The project funded by the 2024 ARIN Community Grant of US$20,000 successfully developed a comprehensive data pipeline and methodology for tracking IP address use in malware and phishing attacks. The technical implementation involved several key components:
Data Integration and Processing
The team established continuous data ingestion from multiple high-fidelity abuse feeds including OpenPhish, APWG, Malware Patrol, URLHaus, and URL Abuse. The data pipeline incorporated deduplication to ensure unique incident reporting and enrichment processes to map URLs to Whois registration, SSL data, and Autonomous System Number (ASN) information.
Geographic Mapping Methodology
Building on methodology developed for a previous ARIN-funded Resource Public Key Infrastructure (RPKI) project, the team mapped malicious IP addresses to their current origin ASN using BGP data from RouteViews, then used Regional Internet Registry (RIR) statistics to identify which RIR assigned each IP address, the managing organization for the ASN, and the country where it is located. While this approach assumes network operators host ranges in the country where they’re located and should be considered an approximation, it provides valuable insights into abuse patterns.
Live Indicators Platform
The project culminated in the launch of a public microsite hosting real-time indicators on IP address use in malware and phishing. The platform provides three distinct views:
- IP Use in Malware (historical and real-time)
- IP Use in Phishing (historical and real-time)
- Geographic/ASN Hosting Analysis
Users can filter abuse data by RIR, with dedicated functionality for analyzing the ARIN region.
A central highlight of the implementation was the presentation at the ARIN 55 Public Policy and Members Meeting in April 2025. This engagement allowed the team to validate their methodology with a high-level technical audience and gather feedback on complex issues such as subdelegation transparency and stakeholder attribution. You can watch the presentation recording on YouTube.
Methodology Highlights
The project analyzed historical data starting from 1 February 2024, examining abusive URLs reported to third-party abuse feed providers. The methodology involved several critical steps:
- For phishing analysis, the team drew from OpenPhish, APWG, Malware Patrol, and URL Abuse feeds. For malware analysis, they utilized URLHaus, Malware Patrol, and URL Abuse. Each day, URL feeds were cleaned to ensure unique incident reporting, preventing double-counting of the same malicious activity.
- The data enrichment process mapped each URL to its corresponding Whois registration information, SSL certificate data, and ASN details. This allowed the team to track not just the raw numbers of abusive IP addresses, but also their organizational and geographic context.
The geographic mapping approach builds on established techniques but acknowledges important limitations. By mapping malicious IP addresses to their origin ASN and then to RIR regions and countries, the methodology provides useful insights while recognizing that it represents an approximation of true attack origins.
Outcomes and Impact
The project successfully engaged an estimated 500+ networking and security professionals, specifically targeting those within the ARIN community. This reach was calculated through verified event participation data and web analytics.
ARIN 55 Community Engagement: The presentation at ARIN 55 reached nearly 250 individuals based on the official attendee list of onsite and remote participants. The presentation sparked significant technical discussion among network operators, focusing on critical nuances such as attribution (whether malicious activity in a region indicates local actors or merely compromised infrastructure) and the complexity of subdelegations that can obscure the true source of abuse.
Digital Platform Engagement: Since launch, the dedicated IP Abuse Live Indicators site has recorded 334 unique visitors with 637 total event interactions. More significantly, the project identified 39 “superusers” — individuals who demonstrated deep technical interaction with the indicators. The average engagement time of 2 minutes and 21 seconds indicates that visitors were actively examining the data rather than simply browsing.
Key Research Findings
The research revealed a striking contrast between malware and phishing tactics:
Malware Dominance
As of December 2025, approximately 70 percent of reported malware URLs in the last 30 days rely solely on IP addresses. This reflects the machine-to-machine nature of malware, where distribution and communications happen without user interaction, eliminating the need for human-readable domain names.
Phishing Trends
Conversely, only 0.6 percent of phishing URLs use IP-only addresses. Phishing remains human-driven, requiring domain names or subdomains to trick users into clicking malicious links.
Geographic Concentration
The APNIC region accounts for 87 percent of IP-based abuse volume — with India and China leading in raw numbers — followed by the United States. However, community feedback at ARIN 55 highlighted the importance of normalizing this data against country size and infrastructure scale to identify truly high-risk networks versus simply large networks.
Community Contributions
The project has delivered benefits to the ARIN community across three key areas:
Technical Research and Data-Driven Insights
The research successfully identified the distinct role that IP addresses play in the malware and phishing lifecycle. By providing up-to-date analysis of how number resources are exploited independently of the DNS, the project contributes to a more robust understanding of network security. The RIR-categorized data allows ARIN-region operators to benchmark local abuse trends against global patterns.
Technical and Policy Discussion
The ARIN 55 presentation sparked dialogue on attribution, the need to normalize abuse metrics, and sub-delegation transparency. Community feedback will inform future research on Internet abuse that relies on IP addresses, particularly regarding how to distinguish between attacker location and infrastructure location when crafting effective countermeasures.
Informational Resource
Through the launch of live indicators, DNSRF has provided a permanent, open-access resource for the ARIN community. By bridging the gap between raw abuse data feeds and registry data, the project supports ongoing efforts to protect Internet users within the ARIN region.
Next Steps
The DNSRF team will continue maintaining the live indicators platform, providing the ARIN community with ongoing access to real-time data on IP-based abuse. Based on community feedback from ARIN 55, future research iterations will explore methods for normalizing abuse data against infrastructure size and investigating the complexities of subdelegations that can obscure malicious actor attribution.
The project website remains available at dnsrf.org/measuring-internet-abuse-through-ip-addresses—live-indicators, and the team welcomes continued engagement from network operators and security professionals interested in leveraging these insights for infrastructure protection.
About the ARIN Community Grant Program
ARIN provides financial grants in support of initiatives that improve the overall Internet industry and Internet user environment. Are you working on a project that advances ARIN’s mission and broadly benefits the Internet community within the ARIN region through informational outreach, research, Internet technical improvements, or Registry processes and technology improvements? Visit the ARIN Community Grant Program page for more information and to find out how your organization can apply in 2026. For application tips and support, read this post on our blog.
Post written by:
Any views, positions, statements, or opinions of a guest blog post are those of the author alone and do not represent those of ARIN. ARIN does not guarantee the accuracy, completeness, or validity of any claims or statements, nor shall ARIN be liable for any representations, omissions, or errors contained in a guest blog post.
Recent blogs categorized under: Grant Program
GET THE LATEST!
Sign up to receive the latest news about ARIN and the most pressing issues facing the Internet community.
SIGN ME UP →Blog Categories
Grant Program • Caribbean • Outreach • IPv6 • IPv4 • ARIN Bits • RPKI • Updates • Internet Governance • Tips • IRR • Public Policy • Elections • Fellowship Program • Training • Security • Guest Post • Data Accuracy • Business Case for IPv6 • Customer Feedback
