Skip to main content

MISHIMA: Multilateration of Internet Hosts Hidden Using Malicious Fast-Flux Agents (Short Paper)

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2011)

Abstract

Fast-flux botnets are a growing security concern on the Internet. At their core, these botnets are a large collection of geographically-dispersed, compromised machines that act as proxies to hide the location of the host, commonly referred to as the “mothership,” to/from which they are proxying traffic. Fast-flux botnets pose a serious problem to botnet take-down efforts. The reason is that, while it is typically easy to identify and consequently shut down single bots, locating the mothership behind a cloud of dynamically changing proxies is a difficult task.

This paper presents techniques that utilize characteristics inherent in fast-flux service networks to thwart the very purpose for which they are used. Namely, we leverage the geographically-dispersed set of proxy hosts to locate (multilaterate) the position of the mothership in an abstract n-dimensional space. In this space, the distance between a pair of network coordinates is the round-trip time between the hosts they represent in the network. To map network coordinates to actual IP addresses, we built an IP graph that models the Internet. In this IP graph, nodes are Class C subnets and edges are routes between these subnets. By combining information obtained by calculating network coordinates and the IP graph, we are able to establish a group of subnets to which a mothership likely belongs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Bailey, M., Cooke, E., Jahanian, F., Watson, D., Nazario, J.: The Blaster Worm: Then and Now. In: IEEE Security & Privace, pp. 26–31 (2005)

    Google Scholar 

  2. Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In: Proceedings of the USENIX SRUTI Workshop, pp. 39–44 (2005)

    Google Scholar 

  3. The Honeynet Project: Know Your Enemy: Fast-Flux Service Networks (2007), www.honeynet.org/book/export/html/130

  4. Freiling, F., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: 10th European Symposium On Research In Computer Security (2005)

    Google Scholar 

  5. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: 6th ACM SIGCOMM Internet Measurement Conference, IMC (2006)

    Google Scholar 

  6. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)

    Google Scholar 

  7. Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: Network & Distributed System Security Symposium (2008)

    Google Scholar 

  8. Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: Detecting and Monitoring Fast-Flux Service Networks. LNCS (2008)

    Google Scholar 

  9. Nazario, J., Holz, T.: As the Net Churns: Fast-Flux Botnet Observations. In: Conference on Malicious and Unwanted Software, Malware 2008 (2008)

    Google Scholar 

  10. Francis, P., Jamin, S., Jin, C., Jin, Y., Raz, D., Shavitt, Y., Zhang, L.: IDMaps: A Global Internet Host Distance Estimation Service. IEEE/ACM Transactions On Networking 9(5), 525 (2001)

    Article  Google Scholar 

  11. Ng, T., Zhang, H.: Towards global network positioning. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 25–29. ACM, New York (2001)

    Chapter  Google Scholar 

  12. Dabek, F., Cox, R., Kaashoek, F., Morris, R.: Vivaldi: a decentralized network coordinate system. ACM SIGCOMM Computer Communication Review 34(4), 15–26 (2004)

    Article  Google Scholar 

  13. Costa, M., Castro, M., Rowstron, R., Key, P.: PIC: Practical Internet Coordinates for Distance Estimation. In: Proceedings of the International Conference on Distributed Computing Systems, pp. 178–187 (2004)

    Google Scholar 

  14. Castelluccia, C., Kaafar, D., Perito, D.: Geolocalization of Proxied Services and its Application to Fast-Flux Hidden Servers. In: 9th ACM SIGCOMM Internet Measurement Conference, IMC (2009)

    Google Scholar 

  15. Gummadi, K., Saroiu, S., Gfibble, S.: King: Estimating Latency between Arbitrary Internet End Hosts. In: Proceedings of SIGCOMM Workshop on Internet Measurment, pp. 5–18 (2002)

    Google Scholar 

  16. Ledlie, J., Gardner, P., Seltzer, M.: Network Coordinates in the Wild. In: Proceedings of USENIX NSDI (April 2007)

    Google Scholar 

  17. Arbor Networks: Arbor Atlas, http://atlas.arbor.net

  18. Hyun, Y., Huffaker, B., Andersen, D., Aben, E., Shannon, C., Luckie, M., claffy, K.C: The CAIDA IPv4 Routed /24 Topology Dataset. http://www.caida.org/data/active/ipv4_routed_24_topology_dataset.xml (07/2009-09/2009)

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Banks, G., Fattori, A., Kemmerer, R., Kruegel, C., Vigna, G. (2011). MISHIMA: Multilateration of Internet Hosts Hidden Using Malicious Fast-Flux Agents (Short Paper). In: Holz, T., Bos, H. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2011. Lecture Notes in Computer Science, vol 6739. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22424-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22424-9_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22423-2

  • Online ISBN: 978-3-642-22424-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics