Tracking network attacks means identifying the origin of the incident. It has two key aspects: the first is finding the IP address, MAC address, or the authenticated hostname; the second is determining the identity of the attacker. When attackers carry out or complete their actions, they inevitably leave behind some traces, such as login records, changes to file permissions, and other virtual evidence. The greatest challenge in tracking network attacks lies in properly handling such virtual evidence.
Network security is a comprehensive and complex endeavor, and no security measure can guarantee absolute safety. Therefore, for certain critical departments, once a network is attacked, it becomes crucial to trace the network attack, identify the attacker, and bring them to justice.
Tracking network attacks means identifying the origin of the incident. It has two key aspects: the first is finding the IP address, MAC address, or the authenticated hostname; the second is determining the identity of the attacker. When attackers carry out or complete their actions, they inevitably leave behind some traces, such as login records, changes to file permissions, and other virtual evidence. The greatest challenge in tracking network attacks lies in properly handling such virtual evidence.
Another issue to consider when tracking a network attack is: an IP address is a virtual address rather than a physical one, and it is easily forged. Most attackers use IP spoofing techniques. This makes the traced attack source inaccurate and makes identifying the attacker based on the IP address significantly more challenging. Therefore, it is essential to adopt methods to uncover their deception and determine the true IP address of the attack source.
â
`netstat` Command â Real-Time Observation of Attackers
The `netstat` command allows you to obtain the IP addresses of all network users connected to the host under inspection. Operating systems such as Windows, Unix, and Linux can all utilize the `netstat` command.
The limitation of using `netstat` is that it only displays the current connections. If an attacker is not connected at the moment you run the `netstat` command, their traces will not be discovered. Therefore, you can use a scheduling tool (e.g., Scheduler) to set up a periodic task that runs the `netstat` command at regular intervals and appends the output to a text file using the format `netstat >> textfile`. This file will provide useful data for attack tracing when needed.
â
Log Data â The Most Detailed Records of Attacks
System logs provide detailed information about user activities during logins. Log data is one of the most direct and effective forms of evidence during an attack investigation. However, some systems may not have comprehensive log data, and attackers often attempt to delete their traces from the system logs. To address this, it is essential to implement measures to ensure the integrity of log data.
Unix and Linux Logs
Unix and Linux log files provide detailed records of user activities, including usernames of logged-in users, user IP addresses, port numbers, login and logout times, the most recent login for each ID, terminal information, executed commands, and account details. These logs can provide critical information, such as `ttyname` (terminal number) and source addresses, which are crucial for tracing network attacks.
Many attackers delete their activity records from logs, and user-oriented programs (UOP) or X Windows-based activities are often not logged, creating difficulties for investigators. To counter this, tools like wrappers can be deployed in the system to record service requests and user activities discreetly, making it difficult for attackers to erase their traces.
Windows NT and Windows 2000 Logs
Windows NT and Windows 2000 have three kinds of logs: system logs, security logs, and application logs. Security-related data is stored in the security logs, which record login information about users. The information contained in the security logs depends on system configuration. Therefore, configuring log settings to capture critical security data is vital for ensuring system protection.
However, the security logs on Windows NT and Windows 2000 have a significant flaw: they do not log the source of events. This omission makes it impossible to trace the origin of an attack using security logs alone. To solve this, you can deploy third-party tools capable of recording complete auditing data.
Firewall Logs
As the âfortressâ of a network system, firewalls are much harder for attackers to compromise. Therefore, firewall log data is relatively more reliable and less prone to tampering. These logs provide some of the most ideal information about the source addresses of attacks.
However, firewalls are not entirely immune to attacks. Attackers may compromise the firewall, or launch denial-of-service attacks that disable its functionality or slow its response. This could corrupt or delete firewall logs. Before using firewall log data, specialized tools should be employed to verify the logsâ integrity to ensure accurate tracing.
â
Raw Data Packets â A More Reliable Analysis Method
Since system hosts themselves could be compromised, obtaining attacker data solely through system logs is not always reliable. Capturing raw data packets and analyzing them is another critical and relatively reliable method for identifying the source of an attack.
Packet Header Analysis
A sample packet header is shown in Table 1. The first line in the table contains the most useful data points, particularly the last 8 bits, which represent the source address. In this example, the source IP address is derived from the last section: `0xd2`, `0x1d`, `0x84`, `0x96`, which corresponds to the IP address 210.45.132.150. Analyzing packet headers allows for identifying reliable IP addresses because attackers cannot easily delete or modify raw packets. However, if attackers encrypt their packets, analyzing the raw data becomes ineffective.
Data Packet Capture
Capturing packets is challenging in switched network environments since switches and hubs operate differently by design. Hubs broadcast data to all connected devices, making it easier to capture packets. Switches, on the other hand, establish temporary direct connections between specific ports, complicating packet capture for unintended devices. To address this, consider the following two approaches:
1. Configure a âspanning portâ on a switch to act like a hub. The traffic going through this port will be broadcast rather than directed, and a packet capture host can intercept the data. However, only one port can act as a spanning port at a time, so multiple hostsâ packets cannot be captured simultaneously.
2. Insert a hub between switches or between a switch and router. The packet capture host connected to the hub can then intercept the desired data.
When capturing packets to identify an attackerâs source address, be mindful of two major concerns:
â Ensure sufficient storage space on the capture host, as high network traffic can quickly saturate disk capacity.
â Develop or use automated programs to analyze packet data. Manual analysis is impractical due to the vast volume of captured data.
â
Search Engines â A Potentially Surprising Approach
While using search engines to track an attackerâs IP address might seem ungrounded in theory, it can sometimes lead to unexpected breakthroughs. Hackers often gather in online communities to discuss attack techniques, share resources, and boast about their exploits. These activities can inadvertently expose critical information about their identity or the source of the attack.
By leveraging search engines like Google or specialized ones, you can search for domain names, IP addresses, or hostnames associated with suspicious activity. Posts or discussions related to an attack may contain clues about the attackerâs identity, as some individuals may negligently use their real IP addresses.
Since online posts are not always reliable, using this method without additional verification could risk implicating innocent users. Nevertheless, when combined with other methods, search engines can serve as an effective supplementary tool in tracking attackers.