Research Article
Detecting Intermediary Hosts by TCP Latency Measurements
@INPROCEEDINGS{10.1007/978-3-642-19513-6_4, author={Gurvinder Singh and Martin Eian and Svein Willassen and Stig Mj\`{u}lsnes}, title={Detecting Intermediary Hosts by TCP Latency Measurements}, proceedings={Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2012}, month={5}, keywords={TCP Latency Intermediary Host Proxy Server Botnet Intrusion Detection Cyber Security}, doi={10.1007/978-3-642-19513-6_4} }- Gurvinder Singh
Martin Eian
Svein Willassen
Stig Mjølsnes
Year: 2012
Detecting Intermediary Hosts by TCP Latency Measurements
ICDF2C
Springer
DOI: 10.1007/978-3-642-19513-6_4
Abstract
Use of intermediary hosts as stepping stones to conceal tracks is common in Internet misuse. It is therefore desirable to find a method to detect whether the originating party is using an intermediary host. Such a detection technique would allow the activation of a number of countermeasures that would neutralize the effects of misuse, and make it easier to trace a perpetrator. This work explores a new approach in determining if a host communicating via TCP is the data originator or if it is acting as a mere TCP proxy. The approach is based on measuring the inter packet arrival time at the receiving end of the connection only, and correlating the observed results with the network latency between the receiver and the proxy. The results presented here indicate that determining the use of a proxy host is possible, if the network latency between the originator and proxy is larger than the network latency between the proxy and the receiver. We show that this technique has potential to be used to detect connections were data is sent through a TCP proxy, such as remote login through TCP proxies, or rejecting spam sent through a bot network.