Skip to Main Content
Source IP spoofing attacks are critical issues to the Internet. These attacks are considered to be sent from bot infected hosts. There has been active research on IP traceback technologies. However, the traceback from an end victim host to an end spoofing host has not yet been achieved, due to the lack of traceback probes installed on each routing path. There is a need to replace alternative probes in order to reduce the installation cost. In this research, we propose an IP tracking scheme against bots using the DNS logs. Many types of bots retrieve IP addresses from fully qualified domain names (FQDNs) at the beginning of communication. The proposed scheme checks from the destination to the source DNS logs, in order to extract the bots. Also, we propose means to distinguish spoofing from non-spoofing attacks, and how to obtain reliable of tracking results. We collect bot communication patterns to confirm that the DNS log can be used for reasonable probes and for achieving a high tracking success rate.