Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
| Hi-index | 0.01 |
Recently, attacks involving source IP spoofing have now become critical issues on the Internet. These attacks are considered to be sent from bots that are controlled by command and control (C&C) servers. As many types of unknown bots are released and updated frequently, it becomes difficult to detect bot infected personal computers (PCs) using pattern-based intrusion detection system (IDS) and antivirus software (AV). As bots only affect the PC slightly, users tend to leave them infected. There has been active research into IP traceback systems. However, efforts to determine traceback from victims' PCs to bots and from bots to C&C servers have not yet been achieved. Because control and attack packets are sent asynchronously, it is hard to grasp the relation between bots and C&C servers. In this research, we propose host-based traceback schemes that track (i) from a victim PC to a bot, and (ii) from the bot to a C&C server. In the case of (i), the victim PC notifies its IP address to a traceback coordination center, while another PC downloads the victim IP address to inspect its access records. In the case of (ii), the access records of the bot are collected at the traceback coordination center, which extracts the active IP address considered to be a significant C&C server. We implement a host-based traceback system and evaluate the tracking ability of our model.