Abstract
Fast-flux botnets are a growing security concern on the Internet. At their core, these botnets are a large collection of geographically-dispersed, compromised machines that act as proxies to hide the location of the host, commonly referred to as the “mothership,” to/from which they are proxying traffic. Fast-flux botnets pose a serious problem to botnet take-down efforts. The reason is that, while it is typically easy to identify and consequently shut down single bots, locating the mothership behind a cloud of dynamically changing proxies is a difficult task.
This paper presents techniques that utilize characteristics inherent in fast-flux service networks to thwart the very purpose for which they are used. Namely, we leverage the geographically-dispersed set of proxy hosts to locate (multilaterate) the position of the mothership in an abstract n-dimensional space. In this space, the distance between a pair of network coordinates is the round-trip time between the hosts they represent in the network. To map network coordinates to actual IP addresses, we built an IP graph that models the Internet. In this IP graph, nodes are Class C subnets and edges are routes between these subnets. By combining information obtained by calculating network coordinates and the IP graph, we are able to establish a group of subnets to which a mothership likely belongs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bailey, M., Cooke, E., Jahanian, F., Watson, D., Nazario, J.: The Blaster Worm: Then and Now. In: IEEE Security & Privace, pp. 26–31 (2005)
Cooke, E., Jahanian, F., McPherson, D.: The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In: Proceedings of the USENIX SRUTI Workshop, pp. 39–44 (2005)
The Honeynet Project: Know Your Enemy: Fast-Flux Service Networks (2007), www.honeynet.org/book/export/html/130
Freiling, F., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: 10th European Symposium On Research In Computer Security (2005)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: 6th ACM SIGCOMM Internet Measurement Conference, IMC (2006)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)
Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: Network & Distributed System Security Symposium (2008)
Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: Detecting and Monitoring Fast-Flux Service Networks. LNCS (2008)
Nazario, J., Holz, T.: As the Net Churns: Fast-Flux Botnet Observations. In: Conference on Malicious and Unwanted Software, Malware 2008 (2008)
Francis, P., Jamin, S., Jin, C., Jin, Y., Raz, D., Shavitt, Y., Zhang, L.: IDMaps: A Global Internet Host Distance Estimation Service. IEEE/ACM Transactions On Networking 9(5), 525 (2001)
Ng, T., Zhang, H.: Towards global network positioning. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 25–29. ACM, New York (2001)
Dabek, F., Cox, R., Kaashoek, F., Morris, R.: Vivaldi: a decentralized network coordinate system. ACM SIGCOMM Computer Communication Review 34(4), 15–26 (2004)
Costa, M., Castro, M., Rowstron, R., Key, P.: PIC: Practical Internet Coordinates for Distance Estimation. In: Proceedings of the International Conference on Distributed Computing Systems, pp. 178–187 (2004)
Castelluccia, C., Kaafar, D., Perito, D.: Geolocalization of Proxied Services and its Application to Fast-Flux Hidden Servers. In: 9th ACM SIGCOMM Internet Measurement Conference, IMC (2009)
Gummadi, K., Saroiu, S., Gfibble, S.: King: Estimating Latency between Arbitrary Internet End Hosts. In: Proceedings of SIGCOMM Workshop on Internet Measurment, pp. 5–18 (2002)
Ledlie, J., Gardner, P., Seltzer, M.: Network Coordinates in the Wild. In: Proceedings of USENIX NSDI (April 2007)
Arbor Networks: Arbor Atlas, http://atlas.arbor.net
Hyun, Y., Huffaker, B., Andersen, D., Aben, E., Shannon, C., Luckie, M., claffy, K.C: The CAIDA IPv4 Routed /24 Topology Dataset. http://www.caida.org/data/active/ipv4_routed_24_topology_dataset.xml (07/2009-09/2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Banks, G., Fattori, A., Kemmerer, R., Kruegel, C., Vigna, G. (2011). MISHIMA: Multilateration of Internet Hosts Hidden Using Malicious Fast-Flux Agents (Short Paper). In: Holz, T., Bos, H. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2011. Lecture Notes in Computer Science, vol 6739. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22424-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-22424-9_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22423-2
Online ISBN: 978-3-642-22424-9
eBook Packages: Computer ScienceComputer Science (R0)