worm blog: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

« Anti-Malware Tools: Intrusion Detection Systems | Main | Who Might be Lurking at Your Cyber Front Door? »

Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

An increaisng number of people are seeing the intersection of malware and automated delivery mechanisms rise in frequency and impact. I've long since looked at worms as an excellent malware distribution platform. The result is often called a 'botnet'. In this paper, three German researchers describe how they cna detect the presence of a botnet and infer its structure using very direct techniques.

Denial-of-Service (DoS) attacks pose a significant threat to the Internet today especially if they are distributed, i.e., launched simultaneously at a large number of systems. Reactive techniques that try to detect such an attack and throttle down malicious traffic prevail today but usually require an additional infrastructure to be really effective. In this paper we show that preventive mechanisms can be as effective with much less effort: We present an approach to (distributed) DoS attack prevention that is based on the observation that coordinated automated activity by many hosts needs a mechanism to remotely control them. To prevent such attacks, it is therefore possible to identify, infiltrate and analyze this remote control mechanism and to stop it in an automated fashion. We show that this method can be realized in the Internet by describing how we infiltrated and tracked IRC-based botnets which are the main DoS technology used by attackers today.

Source: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks, Felix C. Freiling and Thorsten Holz and Georg Wicherski.

May 28, 2005 in defense, honeypots, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit