Finding and Analyzing Evil Cities on the Internet

  • Matthijs G. T. van Polen
  • Giovane C. M. Moura
  • Aiko Pras
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6734)


IP Geolocation is used to determine the geographical location of Internet users based on their IP addresses. When it comes to security, most of the traditional geolocation analysis is performed at country level. Since countries usually have many cities/towns of different sizes, it is expected that they behave differently when performing malicious activities. Therefore, in this paper we refine geolocation analysis to the city level. The idea is to find the most dangerous cities on the Internet and observe how they behave. This information can then be used by security analysts to improve their methods and tools. To perform this analysis, we have obtained and evaluated data from a real-world honeypot network of 125 hosts and from production e-mail servers.


Geographical Analysis Bad Neighborhoods Internet Geolocation IP Geolocation Spam Network Attacks Honeypots 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Muir, J.A., Van Oorschot, P.C.: Internet geolocation: Evasion and counterevasion. ACM Comput. Surv. 42, 4:1–4:23 (2009)CrossRefGoogle Scholar
  2. 2.
    Hulu: Hulu - What your favorites. Anytime. For free, (accessed on February 2011)
  3. 3.
    Sobel, W.E., McCorkendale, B.: Use of Geo-Location Data for Spam Detection. U.S. Patent #7,366,919 issued April 29 filed (2008)Google Scholar
  4. 4.
    Akamai: The State of the Internet, 3rd Quarter, 2010. Technical report, Akamai, (accessed on February 2011)
  5. 5.
    Quarantainenet, B.V.: Virus attacks,;page=infections (accessed on February 2011)
  6. 6.
    Jiang, Y., Zhang, N., Fang, B.: An email geographic Path-Based technique for spam filtering. In: 2007 International Conference on Computational Intelligence and Security, pp. 750–753 (2007)Google Scholar
  7. 7.
    van Wanrooij, W., Pras, A.: Filtering spam from bad neighborhoods. International Journal of Network Management 20(6), 433–444 (2010)CrossRefGoogle Scholar
  8. 8.
    Koike, H., Ohno, K., Koizumi, K.: Visualizing cyber attacks using IP matrix. In: IEEE Workshops on Visualization for Computer Security, vol. 0, page 11. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  9. 9.
    Quarantainenet, B.V.: Quarantainenet, (accessed on February 2011)
  10. 10.
    Microsoft. Computer Worms - Conficker | Microsoft Security, (accessed on February 2011)
  11. 11.
    Geoplugin: Geoplugin, (accessed on February 2011)
  12. 12.
    Maxmind: Maxmind, (accessed on February 2011)
  13. 13.
    Maxmind: Geolite city accuracy, (accessed on February 2011)

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Matthijs G. T. van Polen
    • 1
  • Giovane C. M. Moura
    • 1
  • Aiko Pras
    • 1
  1. 1.Centre for Telematics and Information Technology (CTIT), Faculty of Electrical Engineering, Mathematics, and Computer Science (EEMCS)Design and Analysis of Communications Systems (DACS)EnschedeThe Netherlands

Personalised recommendations