MISHIMA: Multilateration of Internet Hosts Hidden Using Malicious Fast-Flux Agents (Short Paper)

  • Greg Banks
  • Aristide Fattori
  • Richard Kemmerer
  • Christopher Kruegel
  • Giovanni Vigna
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)


Fast-flux botnets are a growing security concern on the Internet. At their core, these botnets are a large collection of geographically-dispersed, compromised machines that act as proxies to hide the location of the host, commonly referred to as the “mothership,” to/from which they are proxying traffic. Fast-flux botnets pose a serious problem to botnet take-down efforts. The reason is that, while it is typically easy to identify and consequently shut down single bots, locating the mothership behind a cloud of dynamically changing proxies is a difficult task.

This paper presents techniques that utilize characteristics inherent in fast-flux service networks to thwart the very purpose for which they are used. Namely, we leverage the geographically-dispersed set of proxy hosts to locate (multilaterate) the position of the mothership in an abstract n-dimensional space. In this space, the distance between a pair of network coordinates is the round-trip time between the hosts they represent in the network. To map network coordinates to actual IP addresses, we built an IP graph that models the Internet. In this IP graph, nodes are Class C subnets and edges are routes between these subnets. By combining information obtained by calculating network coordinates and the IP graph, we are able to establish a group of subnets to which a mothership likely belongs.


Service Network Close Node Beacon Node Proxy Node Internet Host 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bailey, M., Cooke, E., Jahanian, F., Watson, D., Nazario, J.: The Blaster Worm: Then and Now. In: IEEE Security & Privace, pp. 26–31 (2005)Google Scholar
  2. 2.
    Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In: Proceedings of the USENIX SRUTI Workshop, pp. 39–44 (2005)Google Scholar
  3. 3.
    The Honeynet Project: Know Your Enemy: Fast-Flux Service Networks (2007),
  4. 4.
    Freiling, F., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: 10th European Symposium On Research In Computer Security (2005)Google Scholar
  5. 5.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: 6th ACM SIGCOMM Internet Measurement Conference, IMC (2006)Google Scholar
  6. 6.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)Google Scholar
  7. 7.
    Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: Network & Distributed System Security Symposium (2008)Google Scholar
  8. 8.
    Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: Detecting and Monitoring Fast-Flux Service Networks. LNCS (2008)Google Scholar
  9. 9.
    Nazario, J., Holz, T.: As the Net Churns: Fast-Flux Botnet Observations. In: Conference on Malicious and Unwanted Software, Malware 2008 (2008)Google Scholar
  10. 10.
    Francis, P., Jamin, S., Jin, C., Jin, Y., Raz, D., Shavitt, Y., Zhang, L.: IDMaps: A Global Internet Host Distance Estimation Service. IEEE/ACM Transactions On Networking 9(5), 525 (2001)CrossRefGoogle Scholar
  11. 11.
    Ng, T., Zhang, H.: Towards global network positioning. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 25–29. ACM, New York (2001)CrossRefGoogle Scholar
  12. 12.
    Dabek, F., Cox, R., Kaashoek, F., Morris, R.: Vivaldi: a decentralized network coordinate system. ACM SIGCOMM Computer Communication Review 34(4), 15–26 (2004)CrossRefGoogle Scholar
  13. 13.
    Costa, M., Castro, M., Rowstron, R., Key, P.: PIC: Practical Internet Coordinates for Distance Estimation. In: Proceedings of the International Conference on Distributed Computing Systems, pp. 178–187 (2004)Google Scholar
  14. 14.
    Castelluccia, C., Kaafar, D., Perito, D.: Geolocalization of Proxied Services and its Application to Fast-Flux Hidden Servers. In: 9th ACM SIGCOMM Internet Measurement Conference, IMC (2009)Google Scholar
  15. 15.
    Gummadi, K., Saroiu, S., Gfibble, S.: King: Estimating Latency between Arbitrary Internet End Hosts. In: Proceedings of SIGCOMM Workshop on Internet Measurment, pp. 5–18 (2002)Google Scholar
  16. 16.
    Ledlie, J., Gardner, P., Seltzer, M.: Network Coordinates in the Wild. In: Proceedings of USENIX NSDI (April 2007)Google Scholar
  17. 17.
    Arbor Networks: Arbor Atlas,
  18. 18.
    Hyun, Y., Huffaker, B., Andersen, D., Aben, E., Shannon, C., Luckie, M., claffy, K.C: The CAIDA IPv4 Routed /24 Topology Dataset. (07/2009-09/2009)

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Greg Banks
    • 1
  • Aristide Fattori
    • 1
  • Richard Kemmerer
    • 1
  • Christopher Kruegel
    • 1
  • Giovanni Vigna
    • 1
  1. 1.University of CaliforniaSanta BarbaraUSA

Personalised recommendations