Security Basics mailing list archives
RE: Traces
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Tue, 16 Dec 2003 14:46:59 -0800
Sorry, I can't think of any off hand. But I'll try and give you a little information, if it helps at all. Depending on the type of attack, how you will trace varies. In example, if you're suffering from a DDoS attack, the chances that the originating IP address are that of the initiator of the attack are slim to none. Additionally if it's a no-response attack, (Syn Flood, teardrop) the return path address in the IP header is most likely forged seaming they don't require return traffic. If you are actually being hacked, by anyone good, they will be tunneling their traffic through ghost-nodes, or in non-me-speak slave systems. These systems allow a hacker to tunnel traffic through them to mask their originating IP address; they will usually have a few of those. Thank goodness that the vast majority of attacks are virii and script kiddies. These types of attacks don't cover their originating IP address. Now, some 'facieses-throwing-semi-intelligent' script kiddies will use a proxy server (either a public or unsecured proxy) to launch their 'attack'. For them, track down the proxy and contact the owner. Even default unsecured proxies will log some IP/Access/Usage information. Get the IP and track down the netblock owner. Traceroute, DIG and WHOIS are great tools for this. Once I got my 'suspect' I run a scan against them, usually NESSUS or NMAP or LANGuard and see if I an garner any more information. If you worried about an attack, or are just starting to suffer from one setup a SNORT Net-IDS box just behind your firewall, next to your DMZ servers and one outside your firewall or important end points. Personally I log all information from those servers back to a central database and run ACID on a server to view the information. This allows me to see the packet headers and payload which is very helpful when tracking an attack down. The one tip I can give you is LOG, LOG and LOG some more. When I have all the 'evidence' I need, from logs, IDS, external sources (proxy/systems/network owners) I contact their ISP/Netblock owner and file a complaint then supply them with the logs/information I've obtained. If you are suffering from an attack or have a 'specific' question feel free to drop me an email and I'll try to help you out. I hope any of this has been useful. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Gerson Sampaio [mailto:rootbit () yahoo com] Sent: Tuesday, December 16, 2003 11:58 AM To: security-basics () securityfocus com Subject: Traces Hi list, is there any paper / site on hiding traces of an attack. How to discover a real source of an attacker ? TIA __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Traces Gerson Sampaio (Dec 16)
- SV: Traces Kim Guldberg (Dec 16)
- <Possible follow-ups>
- RE: Traces Shawn Jackson (Dec 17)
- RE: Traces Shawn Jackson (Dec 18)