IDMaps: a global internet host distance estimation service
IEEE/ACM Transactions on Networking (TON)
Towards global network positioning
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
King: estimating latency between arbitrary internet end hosts
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
PIC: Practical Internet Coordinates for Distance Estimation
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
Vivaldi: a decentralized network coordinate system
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
The Blaster Worm: Then and Now
IEEE Security and Privacy
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The Zombie roundup: understanding, detecting, and disrupting botnets
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
FluXOR: Detecting and Monitoring Fast-Flux Service Networks
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Geolocalization of proxied services and its application to fast-flux hidden servers
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Network coordinates in the wild
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
| Hi-index | 0.00 |
Fast-flux botnets are a growing security concern on the Internet. At their core, these botnets are a large collection of geographically-dispersed, compromised machines that act as proxies to hide the location of the host, commonly referred to as the "mothership," to/from which they are proxying traffic. Fast-flux botnets pose a serious problem to botnet take-down efforts. The reason is that, while it is typically easy to identify and consequently shut down single bots, locating the mothership behind a cloud of dynamically changing proxies is a difficult task. This paper presents techniques that utilize characteristics inherent in fast-flux service networks to thwart the very purpose for which they are used. Namely, we leverage the geographically-dispersed set of proxy hosts to locate (multilaterate) the position of the mothership in an abstract n-dimensional space. In this space, the distance between a pair of network coordinates is the round-trip time between the hosts they represent in the network. To map network coordinates to actual IP addresses, we built an IP graph that models the Internet. In this IP graph, nodes are Class C subnets and edges are routes between these subnets. By combining information obtained by calculating network coordinates and the IP graph, we are able to establish a group of subnets to which a mothership likely belongs.