Vivaldi: a decentralized network coordinate system
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Constraint-based geolocation of internet hosts
IEEE/ACM Transactions on Networking (TON)
A network positioning system for the internet
ATEC '04 Proceedings of the annual conference on USENIX Annual Technical Conference
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Octant: a comprehensive framework for the geolocalization of internet hosts
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Internet routing policies and round-trip-times
PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
Dude, where’s that IP?: circumventing measurement-based IP geolocation
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
MISHIMA: multilateration of internet hosts hidden using malicious fast-flux agents
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
An improvement for fast-flux service networks detection based on data mining techniques
RSFDGrC'11 Proceedings of the 13th international conference on Rough sets, fuzzy sets, data mining and granular computing
Analysis of a "/0" stealth scan from a botnet
Proceedings of the 2012 ACM conference on Internet measurement conference
| Hi-index | 0.00 |
Fast-flux is a redirection technique used by cyber-criminals to hide the actual location of malicious servers. Its purpose is to evade identification and prevent or, at least delay, the shutdown of these illegal servers by law enforcement. This paper proposes a framework to geolocalize fast-flux servers, that is, to determine the physical location of the fast-flux networks roots (mothership servers) based on network measurements. We performed an extensive set of measurements on PlanetLab in order to validate and evaluate the performance of our method in a controlled environment. These experimentations showed that, with our framework, fast-flux servers can be localized with similar mean distance errors than non-hidden servers, i.e. approximately 100 km. In the light of these very promising results, we also applied our scheme to several active fast-flux servers and estimated their geographic locations, providing then statistics on the locations of "in the wild" fast-flux services.