Network Security Misconceptions: Chapter 2: Tracing
Many people think that tracing is a laughing matter and is only done when a machine is seriously brought down to the ground or changed badly. This is probably the biggest misconception in networking security. Tracing is done all the time, when im getting pinged i trace the ip to see what isp it came from or whatever else i feel like doing. Tracing is very easy with programs such as neotrace and great places such as ARIN (american registry for internet numbers) and RIPE (Reseaux IP Europeens) otherwise known as the european ARIN.
Heres a good example "Yea man i was sitting there in my dorm scanning systems and breaking into the machines that i found on other college campuses using the remote telnetd exploit, of course i was using a bounder/proxy". Where should i start with this, well lets start with the dorm part. In most if not all college campuses they really do monitor which ports you use and which machines you connect to, so if the net admin sees you connecting to the 64.100.23.* network one ip at a time going up theres gonna be a red flag going off in his mind. If you are using a bouncer then you are "safer", if the network admin that your scanning is really bored or you did some damage that he/she is pissed off about they are going to e-mail the owner of the bouncer, then they are gonna check their logs and e-mail the admin of your campus then your kicked out, fun. This is a pretty remote possibility but it has happened and will continue to happen until people realize that tracing is always a possibility. Next lets go with the breaking into the machines, irix and recently BSD has a remote telnetd exploit. This let any script kiddie break into their machines pretty easy and do whatever they want with them, irix is really popular with number crunching machines cause it is very compatible with software rendering programs. Companies such as Dreamworks use this platform, enough of the background on irix. Anyways a little script kiddie comes in, exploits your machine and uses it for whatever they want, they clean the logs and leave. If your a admin and you notice a sever decrease in bandwith your gonna check for packeting then your servers. After awhile of investigeting they will check logs and see a whole lot missing. Hey your safe right? Nope you dont have access to their routers of course, this is a HUGE overlook. The admin logs into the router looks through the ip's for a long time, finds the time when the logs were gone and sees your ip, BAM they have your ip, next thing you know your once again kicked outa college.
Another misconception that i have heard alot is reconnecting if you have dialup or restarting if your on DHCP and getting a new ip, then your safe. Once again we go back to the logs, what you have done is on logs and your new ip is not going to help you at all. All the admin that got screwed over by you has to do is go to www.arin.net look up the ip that screwed him over get your isp, e-mail your isp admin with all the info and once again you are screwed. And sorry for the people the have static IP's, restarting, reconnecting (dsl, cable) wont help at all you have the same ip all the time.
Next im going to go over how to trace a ip to see where it came from. There are great free and pay programs out there that let you do this and great websites also. I recommend NeoTrace as a program, it has a map built into the program that will pinpoint where in the world the ip is coming from and will show you where in the world your packets are going until it gets to the destination machine. Im gonna have a little example here and then a little example on how to get the ISP's phone number, all of these examples are fake and i have never been attacked luckily. Earlier today i got packeted by 188.8.131.52 bringing my connection to a halt. I decided to go to http://www.arin.net/whois/index.html and plug in that ip then e-mail the ISP's net admin to report it. The output reports that it came from IANA which is a huge company, it stands for Internet Assigned Numbers Authority. Since i got packeted from this type of company i would decide to call them right away because most likely one of their machines has been compromised. So i get out my calling card dial in (310) 823-9358 and get the admin on the phone with all the information, he is very alarmed and thankfull that i called him and will patch his machine immediatly. This is just a fake example and i got all the information from ARIN, this is a free service and is available to the public for most every ip in the world. This is very easy as you can see, so next time you think that you are safe, you really are not, there are always ways to find the person and almost most of the people that attacked/hacked major sites have been caught.
If anyone would like to add, comment, or ask any questions on networking or network security feel free to catch me on irc.antionline.com #antionline .