ABSTRACT
Today's Internet is open and anonymous. While it permits free traffic from any host, attackers that generate malicious traffic cannot typically be held accountable. In this paper, we present a system called HostTracker that tracks dynamic bindings between hosts and IP addresses by leveraging application-level data with unreliable IDs. Using a month-long user login trace from a large email provider, we show that HostTracker can attribute most of the activities reliably to the responsible hosts, despite the existence of dynamic IP addresses, proxies, and NATs. With this information, we are able to analyze the host population, to conduct forensic analysis, and also to blacklist malicious hosts dynamically.
- D. G. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker. Accountable Internet Protocol (AIP). In Proc. of ACM SIGCOMM, 2008. Google ScholarDigital Library
- D. S. Anderson, C. Fleizach, S. Savage, and G. M. Voelker. Spamscatter: Characterizing Internet scam hosting infrastructure. In Proc. of the 14th USENIX Security Symposium, 2007. Google ScholarDigital Library
- S. Bellovin, M. Leech, and T. Taylor. ICMP traceback messages. Internet draft, work in progress, 2001.Google Scholar
- Multi-NDSBL lookup. http://www.completewhois.com/cgi2/rbl_lookup.cgi?query=148.202.33.219&display=webtable, 2007.Google Scholar
- A. Blum, D. Song, and S. Venkataraman. Detection of interactive stepping stones: Algorithms and confidence bounds. In Proc. of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.Google ScholarCross Ref
- H. Burch and B. Cheswick. Tracing anonymous packets to their approximate source. In Proc. of USENIX LISA Systems Administration Conference, 2000. Google ScholarDigital Library
- M. Casado and M. J. Freedman. Peering through the shroud: The effect of edge opacity on IP-based client identification. In Proc. of the 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2007. Google ScholarDigital Library
- K. Chiang and L. Lloyd. A case study of the rustock rootkit and spam bot. In Prof. of the First Workshop on Hot Topics in Understanding Botnets (HotBot), 2007. Google ScholarDigital Library
- D. L. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford--Chen. Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay. In Proc. of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), 2002. Google ScholarDigital Library
- R. Droms. Dynamic host configuration protocol. RFC 2131, March 1997.Google Scholar
- Dynablock dynamic IP list. http://www.spamhaus.org/pbl/index.lasso, recently aquired by spamhaus, 2007.Google Scholar
- P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827, May 2000. Google ScholarDigital Library
- G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proc. of the 15th USENIX Security Symposium, 2008. Google ScholarDigital Library
- G. Gu, J. Zhang, and W. Lee. Botsniffer: Detecting botnet command and control channels in network traffic. In Proc. of NDSS, 2008.Google Scholar
- T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on Storm worm. In First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008. Google ScholarDigital Library
- T. Killalea. Internet service provider security services and procedures. IETF RFC 3013, Nov 2000. Google ScholarDigital Library
- T. Kohno, A. Broido, and K. Claffy. Remote physical device fingerprinting. In Proc. of the IEEE Symposium on Security and Privacy, 2005. Google ScholarDigital Library
- B. W. Lampson. Computer security in the real world. IEEE Computer, 37(6):37--46, June 2004. Google ScholarDigital Library
- J. Li, M. Sung, J. Xu, L. Li, and Q. Zhao. Large-scale IP traceback in high-speed Internet: Practical techniques and theoretical foundation. In Proc. of the IEEE Symposium of Security and Privacy, 2004.Google Scholar
- X. Liu, A. Li, X. Yang, and D. Wetherall. Passport: Secure and adoptable source authentication. In Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2008. Google ScholarDigital Library
- Nmap free security scanner. http://www.insecure.org/nmap/.Google Scholar
- Project details for p0f. http://freshmeat.net/projects/p0f/.Google Scholar
- RFC1661: The Point-to-Point Protocol. http://tools.ietf.org/html/rfc1661.Google Scholar
- A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proc. of ACM Sigcomm, 2006. Google ScholarDigital Library
- A. Ramachandran, N. Feamster, and D. Dagon. Revealing botnet membership using DNSBL counter-intelligence. In 2nd Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2006. Google ScholarDigital Library
- A. Ramachandran, N. Feamster, and S. Vempala. Filtering spam with behavioral blacklisting. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2007. Google ScholarDigital Library
- Route views project. http://www.routeviews.org.Google Scholar
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical network support for IP traceback. In Proc. of ACM SIGCOMM, 2000. Google ScholarDigital Library
- A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-based IP traceback. In Proc. of ACM SIGCOMM, 2001. Google ScholarDigital Library
- Spamhaus policy block list (PBL). http://www.spamhaus.org/pbl/, Jan 2007.Google Scholar
- P. Syverson, D. Goldschlag, and M. Reed. Anonymous connections and onion routing. In Proc. of the IEEE symposium on Security and Privacy, 1997. Google ScholarDigital Library
- Trojan now uses Hotmail, Gmail as spam hosts. http://news.bitdefender.com/NW544-en-Trojan-Now-Uses-Hotmail-Gmail-as-Spam-Hosts.html.Google Scholar
- X. Wang and D. Reeves. Robust correlation of encrypted attack traffic through stepping stones by manipulation of inter-packet delays. In Proc. of ACM Conference on Computer and Communications Security (CCS), 2003. Google ScholarDigital Library
- Whois.net-domain research tools. http://www.whois.net/.Google Scholar
- Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber. How dynamic are IP addresses. In Proc. of ACM SIGCOMM, 2007. Google ScholarDigital Library
- Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: Signatures and characteristics. In Proc. of ACM SIGCOMM, 2008. Google ScholarDigital Library
- Y. Zhang and V. Paxson. Detecting stepping stones. In Proc. of the 9th USENIX Security Symposium, 2001. Google ScholarDigital Library
- Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E. Gillum. Botgraph: Large scale spamming botnet detection. In Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2009. Google ScholarDigital Library
- L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, and J. D. Tygar. Characterizing botnets from email spam records. In Proc. of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008. Google ScholarDigital Library
Index Terms
- De-anonymizing the internet using unreliable IDs
Recommendations
De-anonymizing the internet using unreliable IDs
SIGCOMM '09Today's Internet is open and anonymous. While it permits free traffic from any host, attackers that generate malicious traffic cannot typically be held accountable. In this paper, we present a system called HostTracker that tracks dynamic bindings ...
Detecting and Defending against Worm Attacks Using Bot-honeynet
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01We proposed a worm detection and defense system named bot-honeynet in this paper, which combines the best features of honeynet, anomaly detection and botnet. The combination of honeynet and anomaly detection system offers a tradeoff between false ...
The Detection of 8 Type Malware botnet using Hybrid Malware Analysis in Executable File Windows Operating Systems
ICEC '15: Proceedings of the 17th International Conference on Electronic Commerce 2015Nowadays a lot of botnet are being used for the purpose of cybercrime such as distributed denial of services (DDos) or information stealing. Botnet is a collection of computers connected through Internet that has been taken over by an attacker using ...
Comments