Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers

Research Article

Detecting Intermediary Hosts by TCP Latency Measurements

Download85 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-19513-6_4,
        author={Gurvinder Singh and Martin Eian and Svein Willassen and Stig Mj\`{u}lsnes},
        title={Detecting Intermediary Hosts by TCP Latency Measurements},
        proceedings={Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2012},
        month={5},
        keywords={TCP Latency Intermediary Host Proxy Server Botnet Intrusion Detection Cyber Security},
        doi={10.1007/978-3-642-19513-6_4}
    }
    
  • Gurvinder Singh
    Martin Eian
    Svein Willassen
    Stig Mjølsnes
    Year: 2012
    Detecting Intermediary Hosts by TCP Latency Measurements
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-19513-6_4
Gurvinder Singh1,*, Martin Eian1,*, Svein Willassen1,*, Stig Mjølsnes1,*
  • 1: Norwegian University of Science and Technology
*Contact email: gurvinde@item.ntnu.no, eian@item.ntnu.no, sventy@item.ntnu.no, sfm@item.ntnu.no

Abstract

Use of intermediary hosts as stepping stones to conceal tracks is common in Internet misuse. It is therefore desirable to find a method to detect whether the originating party is using an intermediary host. Such a detection technique would allow the activation of a number of countermeasures that would neutralize the effects of misuse, and make it easier to trace a perpetrator. This work explores a new approach in determining if a host communicating via TCP is the data originator or if it is acting as a mere TCP proxy. The approach is based on measuring the inter packet arrival time at the receiving end of the connection only, and correlating the observed results with the network latency between the receiver and the proxy. The results presented here indicate that determining the use of a proxy host is possible, if the network latency between the originator and proxy is larger than the network latency between the proxy and the receiver. We show that this technique has potential to be used to detect connections were data is sent through a TCP proxy, such as remote login through TCP proxies, or rejecting spam sent through a bot network.