Geolocalization of proxied services and its application to fast-flux hidden servers

Castelluccia, Claude; Kâafar, Mohamed Ali; Manils, Pere; Perito, Daniele

doi:10.1145/1644893.1644915

Cited by 16 publications

(7 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, the semantic field of words used in malicious words has a smaller scope than normal ones confirming that attackers targets specific services Table IV represents the value of Sim 3 between the subsets. After preliminary tests, n was set to 100 in equation (7). We can see similar scores for mal/mal and leg/leg comparisons (Sim 3 ∼ 0.95) that are higher than mal/leg (Sim 3 ∼ 0.75).…”

Section: B Resultsmentioning

confidence: 98%

“…Because the main functionality provides a translation of human readable names into machine addresses, it is also used by botnets which are known, as the vector of many other attacks, to be a major threat [1]. Fast-flux [7] consists into naming a phishing website or the C&C (Command and Control) of a botnet with a unique 1 http://www.forensics-intl.com/safeback.html DNS name which points alternatively and rapidely to distinct IP addresses.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Semantic based DNS forensics

Marchai¹,

Jérôme²,

State³

et al. 2012

2012 IEEE International Workshop on Information Forensics and Security (WIFS)

View full text Add to dashboard Cite

Abstract-In network level forensics, Domain Name Service (DNS) is a rich source of information. This paper describes a new approach to mine DNS data for forensic purposes. We propose a new technique that leverages semantic and natural language processing tools in order to analyze large volumes of DNS data. The main research novelty consists in detecting malicious and dangerous domain names by evaluating the semantic similarity with already known names. This process can provide valuable information for reconstructing network and user activities. We show the efficiency of the method on experimental real datasets gathered from a national passive DNS system.

show abstract

Section: B Resultsmentioning

confidence: 98%

Section: Introductionmentioning

confidence: 99%

Semantic based DNS forensics

Marchai¹,

Jérôme²,

State³

et al. 2012

2012 IEEE International Workshop on Information Forensics and Security (WIFS)

View full text Add to dashboard Cite

show abstract

“…Geolocating fast-flux servers. Delay-based geolocation of fast-flux hidden webservers has been proposed [51]; hidden behind proxies, their IP addresses are not known to the client. When geolocating a webserver, the geolocation service provider can first detect that the webserver is hidden behind a proxy by noticing a large difference between the RTTs measured on the network layer (e.g., using ping) and the application layer (e.g., using an HTTP GET).…”

Section: Related Workmentioning

confidence: 99%

Server Location Verification (SLV) and Server Location Pinning

Abdou

Oorschot

2017

ACM Trans. Priv. Secur.

View full text Add to dashboard Cite

We introduce the first known mechanism providing realtime server location verification. Its uses include enhancing server authentication (e.g., augmenting TLS) by enabling browsers to automatically interpret server location information. We describe the design of this new measurement-based technique, Server Location Verification (SLV), and evaluate it using PlanetLab. We explain how SLV is compatible with the increasing trends of geographically distributed content dissemination over the Internet, without causing any new interoperability conflicts. Additionally, we introduce the notion of (verifiable) server location pinning within TLS (conceptually similar to certificate pinning) to support SLV, and evaluate their combined impact using a server-authentication evaluation framework. The results affirm the addition of new security benefits to the existing SSL/TLS-based authentication mechanisms. We implement SLV through a location verification service, the simplest version of which requires no serverside changes. We also implement a simple browser extension that interacts seamlessly with the verification infrastructure to obtain realtime server location-verification results.

show abstract

“…The DNS is also used for malicious purposes. Similarly to content delivery network, fast-flux service networks rely on DNS round-robin and short TTL [9,19]. Fast-flux is used by malware to hide the location of malicious servers.…”

Section: Malicious Uses and Security Issuesmentioning

confidence: 99%

DNStamp: Short-lived trusted timestamping

2014

View full text Add to dashboard Cite

Trusted timestamping consists in proving that certain data existed at a particular point in time. Existing timestamping methods require either a centralized and dedicated trusted service or the collaboration of other participants using the timestamping service.We propose a novel trusted timestamping scheme, called DNStamp, that does not require a dedicated service nor collaboration between participants. DNStamp produces shortlived timestamps with a validity period of several days. The generation and verification involves a large number of Domain Name System cache resolvers, thus removing any single point of failure and any single point of trust. Any host with Internet access may request or verify a timestamp, with no need to register to any timestamping service. We provide a full description and analysis of DNStamp. We analyze the security against various adversaries and show resistance to forward-dating, back-dating and erasure attacks. Experiments with our implementation of DNStamp show that one can set and then reliably verify timestamps even under continuous attack conditions.

show abstract

Geolocalization of proxied services and its application to fast-flux hidden servers

Cited by 16 publications

References 7 publications

Semantic based DNS forensics

Semantic based DNS forensics

Server Location Verification (SLV) and Server Location Pinning

DNStamp: Short-lived trusted timestamping

Contact Info

Product

Resources

About