Geolocalization of proxied services and its application to fast-flux hidden servers

Claude Castelluccia 1 Mohamed Ali Kaafar 1, * P. Manils D. Perito
* Corresponding author
1 PLANETE - Protocols and applications for the Internet
Inria Grenoble - Rhône-Alpes, CRISAM - Inria Sophia Antipolis - Méditerranée
Abstract : Fast-flux is a redirection technique used by cyber-criminals to hide the actual location of malicious servers. Its purpose is to evade identification and prevent or, at least delay, the shutdown of these illegal servers by law enforcement. This paper proposes a framework to geolocalize fast-flux servers, that is, to determine the physical location of the fast-flux networks roots (mothership servers) based on network measurements. We performed an extensive set of measurements on PlanetLab in order to validate and evaluate the performance of our method in a controlled environment. These experimentations showed that, with our framework, fast-flux servers can be localized with similar mean distance errors than non-hidden servers, i.e. approximately 100 km. In the light of these very promising results, we also applied our scheme to several active fast-flux servers and estimated their geographic locations, providing then statistics on the locations of "in the wild" fast-flux services.
Document type :
Conference papers
Complete list of metadatas

https://hal.inria.fr/hal-00748235
Contributor : Mohamed Ali Kaafar <>
Submitted on : Monday, November 5, 2012 - 11:03:46 AM
Last modification on : Wednesday, April 11, 2018 - 1:53:44 AM

Links full text

Identifiers

Collections

Citation

Claude Castelluccia, Mohamed Ali Kaafar, P. Manils, D. Perito. Geolocalization of proxied services and its application to fast-flux hidden servers. Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference (IMC), Nov 2009, Chicago, United States. pp.184--189, ⟨10.1145/1644893.1644915⟩. ⟨hal-00748235⟩

Share

Metrics

Record views

149