Abstract
Fast-flux is a redirection technique used by cyber-criminals to hide the actual location of malicious servers. Its purpose is to evade identification and prevent or, at least delay, the shutdown of these illegal servers by law enforcement. This paper proposes a framework to geolocalize fast-flux servers, that is, to determine the physical location of the fast-flux networks roots (mothership servers) based on network measurements. We performed an extensive set of measurements on PlanetLab in order to validate and evaluate the performance of our method in a controlled environment. These experimentations showed that, with our framework, fast-flux servers can be localized with similar mean distance errors than non-hidden servers, i.e. approximately 100 km. In the light of these very promising results, we also applied our scheme to several active fast-flux servers and estimated their geographic locations, providing then statistics on the locations of "in the wild" fast-flux services.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 2009 ACM SIGCOMM Internet Measurement Conference |
| Place of Publication | New York |
| Publisher | Association for Computing Machinery |
| Pages | 184-189 |
| Number of pages | 6 |
| ISBN (Electronic) | 9781605587714 |
| ISBN (Print) | 9781605587707 |
| DOIs | |
| Publication status | Published - 2009 |
| Externally published | Yes |
| Event | 2009 9th ACM SIGCOMM Internet Measurement Conference, IMC 2009 - Chicago, IL, United States Duration: 4 Nov 2009 → 6 Nov 2009 |
Conference
| Conference | 2009 9th ACM SIGCOMM Internet Measurement Conference, IMC 2009 |
|---|---|
| Country | United States |
| City | Chicago, IL |
| Period | 4/11/09 → 6/11/09 |
Keywords
- fast-flux
- geolocalization
- hidden servers