skip to main content
10.1145/1516241.1516311acmconferencesArticle/Chapter ViewAbstractPublication PagesicuimcConference Proceedingsconference-collections
research-article

Host-based traceback; tracking bot and C&C server

Published: 15 February 2009 Publication History

Abstract

Recently, attacks involving source IP spoofing have now become critical issues on the Internet. These attacks are considered to be sent from bots that are controlled by command and control (C&C) servers. As many types of unknown bots are released and updated frequently, it becomes difficult to detect bot infected personal computers (PCs) using pattern-based intrusion detection system (IDS) and antivirus software (AV). As bots only affect the PC slightly, users tend to leave them infected. There has been active research into IP traceback systems. However, efforts to determine traceback from victims' PCs to bots and from bots to C&C servers have not yet been achieved. Because control and attack packets are sent asynchronously, it is hard to grasp the relation between bots and C&C servers. In this research, we propose host-based traceback schemes that track (i) from a victim PC to a bot, and (ii) from the bot to a C&C server. In the case of (i), the victim PC notifies its IP address to a traceback coordination center, while another PC downloads the victim IP address to inspect its access records. In the case of (ii), the access records of the bot are collected at the traceback coordination center, which extracts the active IP address considered to be a significant C&C server. We implement a host-based traceback system and evaluate the tracking ability of our model.

References

[1]
S. Bellovin, M. Leech, and T. Taylor, "ICMP Traceback Messages," IETF, Internet Draft, draft-ietf-itrace-04.txt, Aug. 2003.
[2]
D. Song and A Perrig, "Advanced and Authenticated Marking Schemes for IP Traceback," Proc. of IEEE Infocom, April, 2001.
[3]
A. Yaar, A. Perrig, and D. Song, "FIT: Fast Internet Traceback," Proc. of IEEE Infocom, April 2005.
[4]
A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer, "Hash-Based IP Traceback," Proc. of the ACM SIGCOM 2001, San Diego, USA, Oct. 2001.
[5]
Y. Izawa, R. Ohshima, and Y. Kunimine, "Technique of Trace Back System Using Derived from Application Layer's Information," IPSJ, CSEC-40, pp. 225--260, March, 2008.
[6]
Abhrajit Chosh, "Rapid Trace: Rapid Traceback to Botherder," Report of the Telcordia, June, 2006. http://www.gtisc.gatech.edu/aroworkshop/ppt/Botnet_Ghosh.pdf
[7]
Cyber Clean Center (CCC), https://www.ccc.go.jp/en_index.html
[8]
K. Takemori, T. Isohara, Y. Miyake, and M. Nishigaki, "Analysis of Robust Mechanisms into Botnet and Code Set," IPSJ, Malware workshop (MWS2008), M2--5, Oct. 2008.

Cited By

View all
  • (2015)Botnet tracing based on distributed denial of service activity analysis2015 8th International Conference on Biomedical Engineering and Informatics (BMEI)10.1109/BMEI.2015.7401590(685-689)Online publication date: Oct-2015
  • (2014)Host–Based Intrusion Detection SystemsArchitectures and Protocols for Secure Information Technology Infrastructures10.4018/978-1-4666-4514-1.ch007(184-213)Online publication date: 2014
  • (2014)A Collaborative Traceback against P2P Botnet Using Information Sharing and Correlation AnalysisProceedings of the 2014 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery10.1109/CyberC.2014.31(132-138)Online publication date: 13-Oct-2014
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ICUIMC '09: Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication
February 2009
704 pages
ISBN:9781605584058
DOI:10.1145/1516241
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 February 2009

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. DNS reflection attack
  2. IP spoofing
  3. botnet
  4. host-based traceback

Qualifiers

  • Research-article

Conference

ICUIMC '09
Sponsor:

Acceptance Rates

Overall Acceptance Rate 251 of 941 submissions, 27%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)0
Reflects downloads up to 13 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2015)Botnet tracing based on distributed denial of service activity analysis2015 8th International Conference on Biomedical Engineering and Informatics (BMEI)10.1109/BMEI.2015.7401590(685-689)Online publication date: Oct-2015
  • (2014)Host–Based Intrusion Detection SystemsArchitectures and Protocols for Secure Information Technology Infrastructures10.4018/978-1-4666-4514-1.ch007(184-213)Online publication date: 2014
  • (2014)A Collaborative Traceback against P2P Botnet Using Information Sharing and Correlation AnalysisProceedings of the 2014 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery10.1109/CyberC.2014.31(132-138)Online publication date: 13-Oct-2014
  • (2011)Taxonomical approach to the deployment of traceback mechanisms2011 Baltic Congress on Future Internet and Communications10.1109/BCFIC-RIGA.2011.5733214(13-20)Online publication date: Feb-2011

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media