Geolocalization of proxied services and its application to fast-flux hidden servers

Claude Castelluccia, Mohamed Ali Kaafar, Pere Manils, Daniele Perito

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contribution

13 Citations (Scopus)


Fast-flux is a redirection technique used by cyber-criminals to hide the actual location of malicious servers. Its purpose is to evade identification and prevent or, at least delay, the shutdown of these illegal servers by law enforcement. This paper proposes a framework to geolocalize fast-flux servers, that is, to determine the physical location of the fast-flux networks roots (mothership servers) based on network measurements. We performed an extensive set of measurements on PlanetLab in order to validate and evaluate the performance of our method in a controlled environment. These experimentations showed that, with our framework, fast-flux servers can be localized with similar mean distance errors than non-hidden servers, i.e. approximately 100 km. In the light of these very promising results, we also applied our scheme to several active fast-flux servers and estimated their geographic locations, providing then statistics on the locations of "in the wild" fast-flux services.

Original languageEnglish
Title of host publicationProceedings of the 2009 ACM SIGCOMM Internet Measurement Conference
Place of PublicationNew York
PublisherAssociation for Computing Machinery
Number of pages6
ISBN (Electronic)9781605587714
ISBN (Print)9781605587707
Publication statusPublished - 2009
Externally publishedYes
Event2009 9th ACM SIGCOMM Internet Measurement Conference, IMC 2009 - Chicago, IL, United States
Duration: 4 Nov 20096 Nov 2009


Conference2009 9th ACM SIGCOMM Internet Measurement Conference, IMC 2009
CountryUnited States
CityChicago, IL


  • fast-flux
  • geolocalization
  • hidden servers

Fingerprint Dive into the research topics of 'Geolocalization of proxied services and its application to fast-flux hidden servers'. Together they form a unique fingerprint.

Cite this