Hey all. Does anyone have any good advice for tracking down evidence of a relay attack of any kind. The other day, I was revisiting a book I purchased some time ago call Counter Hack by Ed Skoudis. It went over how netcat could be used to setup multiple relays to attack with a chain of clients and listeners. I was wondering/curious if anyone here has ever had to investigate something of this nature and how they went about doing it other than the obvious - going through the logs and such. It seems like something pretty hard to track down, especially if the attacker was able to relay between cultural barriers (eg a relay on systems across the world to make it harder to track).
September 24th, 2002, 11:10 PM
I guess if you're being attacked from a given address repeatedly the thing to do is to get in contact with the network admin of that system. If they cooperate, and attempt to track it down it could work:
If the network admin of the supposed source system sets up a sniffer to watch for connections to your system, and when it does monitor all traffic just before/after, they should be able to see a pattern which will reveal whether it's an internal user to their system, or some kind of relay program (like netcat) being used to "bounce" (rememeber that the person whose account or box the bounce relay is running on may have no knowledge of it - it may be a trojan or have been planted in an earlier attack).
You can then repeat the process with the network admin of the next system in the chain. If the attacks persist for long enough and you have enough cooperation, you should be able to find the true source of the attacks.
Of course language barriers, timezone barriers and uncooperative or incompetent network admins can make this a lot harder - obviously a network admin is also going to take a good deal of persuasion to allow you any access to his sniffer logs to ensure he isn't being socially engineered.
So if you're really lucky, the attackers feel so "safe" with their chain of bounce relays that they keep using the same ones to attack the same systems repeatedly - which ultimately should be their downfall.
September 25th, 2002, 12:19 AM
Yeah, I agree with you on that; it could definitely prove difficult to get the cooperation of Admins of other networks. One can only hope that they run into someone that sympathesizes with the situation - the frustration of tracking someone down that coordinated such an attack.