|
Abstract:
|
Fast-flux is a redirection technique used by cyber-criminals to hide the
actual location of malicious servers. Its purpose is to evade identification
and prevent or, at least delay, the shutdown of these illegal servers by
law enforcement.
This paper proposes a framework to geolocalize fast-flux servers, that is,
to determine the physical location of the fast-flux networks roots
(mothership servers) based on network measurements. We performed an
extensive set of measurements on PlanetLab in order to validate and
evaluate the performance of our method in a controlled environment.
These experimentations showed that, with our framework, fast-flux servers
can be localized with similar mean distance errors than non-hidden
servers, i.e. approximately 100 km. In the light of these very promising
results, we also applied our scheme to several active fast-flux servers
and estimated their geographic locations, providing then statistics on
the locations of "in the wild" fast-flux services.
|