Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

Freiling, Felix C.; Holz, Thorsten; Wicherski, Georg

doi:10.1007/11555827_19

Cited by 170 publications

(99 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The C&C server's address will then be put into the sinkhole DNS database. Then, every connection trying to contact this server will receive the loopback address 127.0.0.1 instead of the real IP address of the C&C server [12].…”

Section: Standard Proceduresmentioning

confidence: 99%

A Hybrid Defense Technique for ISP Against the Distributed Denial of Service Attacks

Moon

Choi

Kim

et al. 2014

Appl. Math. Inf. Sci.

View full text Add to dashboard Cite

Abstract:As malicious traffic from botnets now threatens the network infrastructure of Internet Service Providers (ISPs), the importance of controlling botnets is greater than ever before. However, it is not easy to handle rapidly evolving botnets efficiently because of the highly evolved detection avoidance techniques used by botnet makers. Further, nowadays, Distributed Denial of Service (DDoS) attacks can compromise not only specific target sites but also the entire network infrastructure, as high-bandwidth Internet services are now being provided. Thus, ISPs are deploying their own defense systems to prevent DDoS attacks and protect their network infrastructure. However, the new problem ISPs confront is that botnet masters also try to destroy their defense systems to make their attack successful. ISPs can mitigate DDoS through botnet-specific management by taking preemptive measures, such as the proactive reverse engineering of suspicious code and the use of honeypots. This paper illustrates an advanced DDoS defense technique for the use of ISPs with a real case study of the technique's implementation. This technique was proven very effective method for controlling botnets, and we could confirm this effectiveness in a real ISP environment.

show abstract

Section: Standard Proceduresmentioning

confidence: 99%

A Hybrid Defense Technique for ISP Against the Distributed Denial of Service Attacks

Moon

Choi

Kim

et al. 2014

Appl. Math. Inf. Sci.

View full text Add to dashboard Cite

show abstract

“…The victim system cannot add source IP addresses to the blacklist, because they act as a regular end-user. Evidence reveals that most commonly implemented by botnets are TCP SYN and UDP flooding attacks (Freiling, Holz, & Wicherski, 2005). Exploring the bots in a managed honeypot is one of the most effective prevention mechanisms, which will be discussed in the following chapters.…”

Section: Botnet Attacksmentioning

confidence: 99%

BotNet Detection: Enhancing Analysis by Using Data Mining Techniques

Alparslan¹,

Karahoca²,

Karahoca³

2012

Advances in Data Mining Knowledge Discovery and Applications

View full text Add to dashboard Cite

“…A completely different approach is instead followed in the context of the mwcollect project [13,14], that has recently merged with the nepenthes project. These tools use a set of vulnerability modules to attract bots, analyze their shell code and use download modules to fetch the malware code from the attacking bot.…”

Section: State Of the Artmentioning

confidence: 99%

Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots

Leita

Daciér

Massicotte

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Spitzner proposed to classify honeypots into low, medium and high interaction ones. Several instances of low interaction exist, such as honeyd, as well as high interaction, such as GenII. Medium interaction systems have recently received increased attention. ScriptGen and RolePlayer, for instance, are as talkative as a high interaction system while limiting the associated risks. In this paper, we do build upon the work we have proposed on ScriptGen to automatically create honeyd scripts able to interact with attack tools without relying on any a-priori knowledge of the protocols involved. The main contributions of this paper are threefold. First, we propose a solution to detect and handle so-called intra-protocol dependencies. Second, we do the same for inter-protocols dependencies. Last but not least, we show how, by modifying our initial refinement analysis, we can, on the fly, generate new scripts as new attacks, i.e. 0-day, show up. As few as 50 samples of attacks, i.e. less than one per platform we have currently deployed in the world, is enough to produce a script that can then automatically enrich all these platforms.

show abstract

Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

Cited by 170 publications

References 9 publications

A Hybrid Defense Technique for ISP Against the Distributed Denial of Service Attacks

A Hybrid Defense Technique for ISP Against the Distributed Denial of Service Attacks

BotNet Detection: Enhancing Analysis by Using Data Mining Techniques

Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots

Contact Info

Product

Resources

About