Abstract
Recently, source IP spoofing attacks are critical issues for the Internet. These attacks are considered to be sent from bot infected hosts. There has been active research on IP traceback technologies. However, the traceback from an end victim host to an end spoofing host has not yet been achieved, due to the lack of traceback probes installed on each routing path. Alternative probes should be employed in order to reduce the installation cost. In this research, we propose an IP traceback scheme against bots using DNS logs of existing servers. Many types of bots retrieve IP addresses of victim hosts from fully qualified domain names (FQDNs) at the beginning of an attack. The proposed scheme checks from the destination to the source DNS logs, in order to extract the actual IP addresses of bot infected hosts. Also, we propose a scheme to ascertain the reliability of traceback results, and a method to distinguish spoofing from non-spoofing attacks. We collect bot communication patterns to confirm that the DNS log can be used for reasonable probes and for achieving a high traceback success rate.
