Geolocalization of Proxied Services and Its Application to Fast-Flux Hidden Servers
Fast-flux is a redirection technique used by cyber-criminals to hide the actual location of malicious servers. Its purpose is to evade identification and prevent or, at least delay, the shutdown of these illegal servers by law enforcement. This paper proposes a framework to geolocalize fast-flux servers, that is, to determine the physical location of the fast-flux networks roots (mothership servers) based on network measurements. The authors performed an extensive set of measurements on PlanetLab in order to validate and evaluate the performance of their method in a controlled environment. These experimentations showed that, with their framework, fast-flux servers can be localized with similar mean distance errors than non-hidden servers, i.e. approximately 100 km.