Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

  • Felix C. Freiling
  • Thorsten Holz
  • Georg Wicherski
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3679)


Denial-of-Service (DoS) attacks pose a significant threat to the Internet today especially if they are distributed, i.e., launched simultaneously at a large number of systems. Reactive techniques that try to detect such an attack and throttle down malicious traffic prevail today but usually require an additional infrastructure to be really effective. In this paper we show that preventive mechanisms can be as effective with much less effort: We present an approach to (distributed) DoS attack prevention that is based on the observation that coordinated automated activity by many hosts needs a mechanism to remotely control them. To prevent such attacks, it is therefore possible to identify, infiltrate and analyze this remote control mechanism and to stop it in an automated fashion. We show that this method can be realized in the Internet by describing how we infiltrated and tracked IRC-based botnets which are the main DoS technology used by attackers today.


Remote Control Intrusion Detection System Internet Relay Chat Remote Control Network IEEE Computer Security Foundation Workshop 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    FBI report on Operation Cyberslam (February 2004), Internet: (Accessed March 2005)
  2. 2.
    Hacker threats to bookies probed (February 2004), Internet: (Accessed March 2005)
  3. 3.
    Bellovin, S.M.: ICMP traceback messages, Internet Draft (March 2001)Google Scholar
  4. 4.
    Computer Emergency Response Team. CERT advisory CA-1996-21 TCP SYN Flooding Attacks (1996). Internet:
  5. 5.
    Dittrich, D.: Distributed Denial of Service (DDoS) attacks/tools resource page (2000). Internet:
  6. 6.
    Dornseif, M., Gärtner, F.C., Holz, T.: Vulnerability assessment using honepots. Praxis der Informationsverarbeitung und Kommunikation (PIK) 4(27), 195–201 (2004)CrossRefGoogle Scholar
  7. 7.
    Ferguson, P.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, Request for Comments: RFC 2827 (May 2000)Google Scholar
  8. 8.
    Fischer, T.: Botnetze. In: Proceedings of 12th DFN-CERT Workshop (March 2005)Google Scholar
  9. 9.
    Garber, L.: Denial-of-service attacks rip the Internet. Computer 33(4), 12–17 (2000)CrossRefGoogle Scholar
  10. 10.
    Johns, M.S.: Identification protocol, Request for Comments: RFC 1413 (February 1993)Google Scholar
  11. 11.
    McCarty, B.: Botnets: Big and bigger. IEEE Security & Privacy 1(4), 87–90 (2003)CrossRefGoogle Scholar
  12. 12.
    Meadows, C.: A formal framework and evaluation method for network denial of service. In: Proceedings of the 1999 IEEE Computer Security Foundations Workshop, pp. 4–13. IEEE Computer Society Press, Los Alamitos (1998)Google Scholar
  13. 13.
    Mirkovic, J., Dietrich, S., Dittrich, D., Reiher, P.: Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall PTR, Englewood Cliffs (2004)Google Scholar
  14. 14.
    Mirkovic, J., Reiher, P.: A taxonomy of DDoS attacks and defense mechanisms. ACM SIGCOMM Computer Communications Review 34(2), 39–54 (2004)CrossRefGoogle Scholar
  15. 15.
    Mirkovic, J., Robinson, M., Reiher, P., Kuenning, G.: Alliance formation for DDoS defense. In: Proceedings of the New Security Paradigms Workshop 2003. ACM SIGSAC(August 2003)Google Scholar
  16. 16.
    Provos, N.: A virtual honeypot framework. In: Proceedings of 13th USENIX Security Symposium (2004)Google Scholar
  17. 17.
    Savage, S., Wetherall, D., Karlin, A.R., Anderson, T.: Practical network support for IP traceback. In: Proceedings of the 2000 ACM SIGCOMM Conference, pp. 295–306 (August 2000)Google Scholar
  18. 18.
    Schneier, B.: Inside risks: semantic network attacks. Communications of the ACM 43(12), 168–168 (2000)CrossRefGoogle Scholar
  19. 19.
    Schuba, C.L., Krsul, I.V., Kuhn, M.G., Spafford, E.H., Sundaram, A., Zamboni, D.: Analysis of a denial of service attack on TCP. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, May 1997, pp. 208–223. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
  20. 20.
    Song, D.X., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of IEEE Infocom 2001 (April 2001)Google Scholar
  21. 21.
    The Honeynet Project. Know Your Enemy: GenII Honeynets (November 2003),
  22. 22.
    The Honeynet Project. Know your Enemy: Tracking Botnets (March 2005),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Felix C. Freiling
    • 1
  • Thorsten Holz
    • 1
  • Georg Wicherski
    • 1
  1. 1.Laboratory for Dependable Distributed SystemsRWTH Aachen University 

Personalised recommendations