Abstract
Denial-of-Service (DoS) attacks pose a significant threat to the Internet today especially if they are distributed, i.e., launched simultaneously at a large number of systems. Reactive techniques that try to detect such an attack and throttle down malicious traffic prevail today but usually require an additional infrastructure to be really effective. In this paper we show that preventive mechanisms can be as effective with much less effort: We present an approach to (distributed) DoS attack prevention that is based on the observation that coordinated automated activity by many hosts needs a mechanism to remotely control them. To prevent such attacks, it is therefore possible to identify, infiltrate and analyze this remote control mechanism and to stop it in an automated fashion. We show that this method can be realized in the Internet by describing how we infiltrated and tracked IRC-based botnets which are the main DoS technology used by attackers today.
Chapter PDF
Similar content being viewed by others
Keywords
- Remote Control
- Intrusion Detection System
- Internet Relay Chat
- Remote Control Network
- IEEE Computer Security Foundation Workshop
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
FBI report on Operation Cyberslam (February 2004), Internet: http://www.reverse.net/operationcyberslam.pdf (Accessed March 2005)
Hacker threats to bookies probed (February 2004), Internet: http://news.bbc.co.uk/1/hi/technology/3513849.stm (Accessed March 2005)
Bellovin, S.M.: ICMP traceback messages, Internet Draft (March 2001)
Computer Emergency Response Team. CERT advisory CA-1996-21 TCP SYN Flooding Attacks (1996). Internet: http://www.cert.org/advisories/CA-1996-21.html
Dittrich, D.: Distributed Denial of Service (DDoS) attacks/tools resource page (2000). Internet: http://staff.washington.edu/dittrich/misc/ddos/
Dornseif, M., Gärtner, F.C., Holz, T.: Vulnerability assessment using honepots. Praxis der Informationsverarbeitung und Kommunikation (PIK) 4(27), 195–201 (2004)
Ferguson, P.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, Request for Comments: RFC 2827 (May 2000)
Fischer, T.: Botnetze. In: Proceedings of 12th DFN-CERT Workshop (March 2005)
Garber, L.: Denial-of-service attacks rip the Internet. Computer 33(4), 12–17 (2000)
Johns, M.S.: Identification protocol, Request for Comments: RFC 1413 (February 1993)
McCarty, B.: Botnets: Big and bigger. IEEE Security & Privacy 1(4), 87–90 (2003)
Meadows, C.: A formal framework and evaluation method for network denial of service. In: Proceedings of the 1999 IEEE Computer Security Foundations Workshop, pp. 4–13. IEEE Computer Society Press, Los Alamitos (1998)
Mirkovic, J., Dietrich, S., Dittrich, D., Reiher, P.: Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall PTR, Englewood Cliffs (2004)
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attacks and defense mechanisms. ACM SIGCOMM Computer Communications Review 34(2), 39–54 (2004)
Mirkovic, J., Robinson, M., Reiher, P., Kuenning, G.: Alliance formation for DDoS defense. In: Proceedings of the New Security Paradigms Workshop 2003. ACM SIGSAC(August 2003)
Provos, N.: A virtual honeypot framework. In: Proceedings of 13th USENIX Security Symposium (2004)
Savage, S., Wetherall, D., Karlin, A.R., Anderson, T.: Practical network support for IP traceback. In: Proceedings of the 2000 ACM SIGCOMM Conference, pp. 295–306 (August 2000)
Schneier, B.: Inside risks: semantic network attacks. Communications of the ACM 43(12), 168–168 (2000)
Schuba, C.L., Krsul, I.V., Kuhn, M.G., Spafford, E.H., Sundaram, A., Zamboni, D.: Analysis of a denial of service attack on TCP. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, May 1997, pp. 208–223. IEEE Computer Society Press, Los Alamitos (1997)
Song, D.X., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of IEEE Infocom 2001 (April 2001)
The Honeynet Project. Know Your Enemy: GenII Honeynets (November 2003), http://www.honeynet.org/papers/gen2/
The Honeynet Project. Know your Enemy: Tracking Botnets (March 2005), http://www.honeynet.org/papers/bots
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Freiling, F.C., Holz, T., Wicherski, G. (2005). Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: di Vimercati, S.d.C., Syverson, P., Gollmann, D. (eds) Computer Security – ESORICS 2005. ESORICS 2005. Lecture Notes in Computer Science, vol 3679. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11555827_19
Download citation
DOI: https://doi.org/10.1007/11555827_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28963-0
Online ISBN: 978-3-540-31981-8
eBook Packages: Computer ScienceComputer Science (R0)