How to find a network attack source

Network security is a comprehensive, complex project, any network security measures can not guarantee foolproof. It is therefore essential that, in the case of some important sectors, the network is attacked, how to track cyber attacks, and to track down and bring to justice the attackers.

Tracking cyber attacks is the source of the events that occur. It has two aspects meaning: One refers to the discovery of IP address, MAC address or authenticated host name, and the other is to identify the attacker. Cyber attackers will inevitably leave some clues after the attack, such as the record of log in, the change of file rights and so on, how to handle the virtual evidence correctly is the biggest challenge of tracking the network attack.

Another issue to be considered in tracking network attacks is that the IP address is a virtual address rather than a physical address, and IP addresses are easily forged, and most network attackers use IP address spoofing techniques. The source of the attack traced to this is not correct. Making it more difficult to find an attacker based on an IP address. Therefore, some methods must be used to identify the attacker's deception and find the true IP address of the source of the attack.

★netstat command----View attackers in real time

Use the netstat command to obtain the IP addresses of all network users who join the tested host. The "netstat" command is available for common network operating systems, such as Windows Family, UNIX series, Linux, and so on.

The disadvantage of using the "netstat" command is that only the current connection can be displayed, and if the attacker did not join when using the "netstat" command, no trace of the attacker could be found. To do this, you can use scheduler to create a schedule that arranges the system to use a "netstat" command at every interval and writes the data from each check to a text file using the Netstat>>textfile format. To be used when tracking network attacks.

★ Log Data--the most detailed attack record

The system's log data provides detailed user login information. These data are the most direct and effective evidence for tracking cyber attacks. But some systems have imperfect log data, and network attackers often remove their activities from the system log. Therefore, remedial measures need to be taken to ensure the integrity of the log data.

Logs for UNIX and Linux

Unix and Linux log files document the user's various activities in more detail, such as the user name of the login ID, the user's IP address, port number, logon and exit time, the most recent logon time for each ID, the terminal of the login, the command executed, and the account information of the user ID. This information provides ttyname (terminal number) and source address, which is the most important data to track network attacks.

Most cyber attackers delete their activity records from their diaries, and UOP and X-Windows activities are often not recorded, causing difficulties for the tracker. To solve this problem, you can run the wrapper tool in the system, which records the user's service request and all activities, and is not easy to be detected by the network attackers, and can effectively prevent the cyber attackers from eliminating their activity records.

Windows NT and Windows 2000 logs

Windows NT and Windows 2000 have three logs, such as system logs, security logs, and application logs, while security-related data is included in the security log. The security log records information about the logged-in user. The data in the security log is determined by the configuration. Therefore, a reasonable configuration should be made according to security requirements in order to obtain the necessary data to ensure system security.

However, there is a significant flaw in the Windows NT and Windows 2000 security logs, which do not record the source of the event, and it is not possible to trace the source address of the attacker based on the data in the security log. To solve this problem, you can install a third party tool that can fully record audit data.

Firewall log

As a "bastion host" in a network system, firewalls are much less likely to be compromised by cyber attackers. As a result, the firewall log data is relatively less easily modified, and its log data provides the most ideal source address information for the source of the attack.

However, the firewall is not impossible to be breached, its log can also be deleted and modified. An attacker can also launch a denial of service attack to the firewall, disabling the firewall or at least slowing it down to make it difficult to respond to the event in a timely manner, thereby damaging the integrity of the firewall log. Therefore, before using the firewall log, you should run a dedicated tool to check the integrity of the firewall log, in case of incomplete data, delaying the tracking time.

★ The original data packet----more reliable analysis method

Because the system hosts all have the possibility of being compromised, it is sometimes unreliable to use system logs to obtain information about attackers. Therefore, capturing the original packet and analyzing its data is another important and reliable way to determine the source of the attack.

Baotou Data analysis

Table 1 is the IP header data for an original packet. The first row in the table is the most useful number. The last 8 digits of the first line represent the source address. The address in this example is 0xd2, 0x1d, 0x84, 0x96, and the corresponding IP address is 210.45.132.150. By analyzing the header data of the original packet, the IP address of the more reliable network attacker can be obtained, because the data will not be deleted or modified. However, this method is not perfect, and if an attacker encrypts its packets, the analysis of the packets collected will be of little use.

Table 11 IP Header data

0x0000 45c0 c823 0000 d306 6002 2C06 d21d 8496

0x0010 22ab b365 c234 0000 0000 4066 DD1D 8818

0x0020 7034 ecf8 0000 5b88 7708 b901 4a88 de34

0x0030 9812 a5c6 0011 8386 9618 0000 A123 6907

0x0040 55c5 0023 3401 0000 5505 b1c5 0000 0000

0x0050 0000 0000 0000 0000 0000

Capturing data packets

It is difficult to capture packets in a switched network environment, mainly because hubs and switches are essentially different in data exchange. The hub uses broadcast transmission, which does not support connections, but instead sends packets to all ports except the source port, and all machines connected to the hub can capture the packets that pass through it. While the switch supports end-to-end connectivity, when a packet arrives, the switch creates a temporary connection to it, and the packet passes through the connection to the destination port. So it's not easy to grab a bag in a swap environment. To obtain a packet in a switched environment, you can use the following method to resolve:

(1) Configure a "spanning port" (the build port) of the switch to resemble a hub, the packets through this port are no longer connected to the destination host, but are broadcast to all machines connected to the port. Set up a packet capture host, you can capture the packets through the "spaning port". However, at the same time, the switch can only be set by one port to "spanning port", so you cannot capture packets from multiple hosts at the same time.

(2) Install a hub between the switches, or between the router and the switch. The data packets from the hub can be captured by the capture host.

In the method of capturing the attacker's source address with a capture packet, there are two issues to note: one is to ensure that the packet capture host is provided with sufficient storage space, because if the network throughput is large when the packet is captured, the hard disk will soon be filled up, and the second is that when analyzing the packet, a small program can be automatically analyzed It is impossible to analyze so many data by hand.

★ Search Engine----There might be surprises out there.

Using a search engine to get the source address of a cyber attacker, theoretically there is no basis for it, but it often receives unexpected results, bringing unexpected surprises to the tracking work. Hackers often have their own virtual communities on the Internet, where they discuss techniques for cyber attacks and show off their successes. As a result, they often expose information about their source of attack and even their identities.

Use search engine to track the IP address of the network attacker is to use some good search engine (such as Sohu's search engine) to search the Web page, the search keyword is the attack host domain name, IP address or host name, see whether there is a post is about the above mentioned keywords represented by the machine to attack. Although cyber attackers typically use forged source addresses when they post, there are many who use real source addresses when they are more paralyzed. Therefore, it is often possible to accidentally discover the traces of cyber attackers in this way.

Due to the inability to guarantee the authenticity of the post source address in the network, the use without analysis may implicate innocent users. However, using a search engine is useful when combined with its methods.