Abstract
Use of intermediary hosts as stepping stones to conceal tracks is common in Internet misuse. It is therefore desirable to find a method to detect whether the originating party is using an intermediary host. Such a detection technique would allow the activation of a number of countermeasures that would neutralize the effects of misuse, and make it easier to trace a perpetrator. This work explores a new approach in determining if a host communicating via TCP is the data originator or if it is acting as a mere TCP proxy. The approach is based on measuring the inter packet arrival time at the receiving end of the connection only, and correlating the observed results with the network latency between the receiver and the proxy. The results presented here indicate that determining the use of a proxy host is possible, if the network latency between the originator and proxy is larger than the network latency between the proxy and the receiver. We show that this technique has potential to be used to detect connections were data is sent through a TCP proxy, such as remote login through TCP proxies, or rejecting spam sent through a bot network.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Allman, M., Paxson, V., Stevens, W.: TCP congestion control. RFC 2581 (1999)
Barford, P., Ullrich, J., Yegneswaran, V.: Internet intrusions: global characteristics and prevalence. In: Proceedings of the 2003 ACM SIGMETRICS Conference, pp. 138–147 (2003)
Combs, G.: Wireshark - packet analyzer, http://www.wireshark.org/ (accessed April 2010)
Coskun, B., Memon, N.: Online Sketching of Network Flows for Real-Time Stepping-Stone Detection. In: Proceedings of the 2009 Annual Computer Security Applications Conference, pp. 473–483. IEEE Computer Society, Los Alamitos (2009)
Etoh, H., Yoda, K.: Finding a connection chain for tracing intruders. In: Proceedings of the 6th European Symposium on Research in Computer Security, pp. 191–205. Springer, Heidelberg (2000)
Giacobbi, G.: The GNU netcat project, http://netcat.sourceforge.net/ (accessed April 2010)
Lee, S., Shields, C.: Tracing the source of network attack: A technical, legal and societal problem. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pp. 239–246 (2001)
Mathewson, N., Dingledine, R., Syverson, P.: Tor: The second generation onion router. In: Proceedings of the 13th USENIX Security Symposium, pp. 303–320 (2004)
McKenney, P., Lee, D., Denny, B.: Traffic generator tool, http://www.postel.org/tg/ (accessed April 2010)
Nagle, J.: Congestion control in IP/TCP internetworks. RFC 896 (January 1984)
Paxson, V., Zhang, Y.: Detecting stepping stones. In: Proceedings of the 9th USENIX Security Symposium, pp. 171–184 (2000)
Reeves, D., Wang, X.: Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In: Proceedings of the 10th ACM Conference on Computer and Communication Security, pp. 20–29 (2003)
Riden, J.: Know your enemy lite: Proxy threats - socks v666. Honeynet Project (August 2008), http://www.honeynet.org/papers/proxy
Roesch, M.: Daemonlogger, packet logger, http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.htm (accessed April 2010)
Staniford-Chen, S., Heberlein, L.T.: Holding intruders accountable on the internet. In: SP 1995: Proceedings of the 1995 IEEE Symposium on Security and Privacy, Washington, DC, USA, p. 39. IEEE Computer Society, Los Alamitos (1995)
Stewart, G.: iprelay - a user-space bandwidth shaping TCP proxy daemon, http://manpages.ubuntu.com/manpages/hardy/man1/iprelay.1.html (accessed April 2010)
Walpole, R., Myers, R., Myers, S., Yee, K.: Probability and statistics for engineers and scientists. Macmillan, New York (2007)
Zhang, L., Persaud, A., Guan, Y., Johnson, A.: Stepping stone attack attribution in non-cooperative IP networks. In: Proc. of the 25th IEEE International Performance Computing and Communication Conference (IPCCC 2006), Washington, DC, USA. IEEE Computer Society, Los Alamitos (April 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Singh, G., Eian, M., Willassen, S.Y., Mjølsnes, S.F. (2011). Detecting Intermediary Hosts by TCP Latency Measurements. In: Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 53. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19513-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-19513-6_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19512-9
Online ISBN: 978-3-642-19513-6
eBook Packages: Computer ScienceComputer Science (R0)