Security Basics mailing list archives
RE: Tracking down a vandalizer who's faking his IP
From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
Date: Wed, 28 Apr 2004 11:26:26 -0600
Someone is vandalizing my friend's website. When I checked the IP address, it seems like it's from another distant country and not much else information is provided.
Sounds like a foreign proxy server. I'd give it a 95% chance that the IP you have has absolutely nothing to do with the person attacking the site.
I have sent an email to the owner of that segment of IP address but haven't
heard anything for the past 2 months other than an automated reply.
First of all, IP address segments are usually sold to a company who then leases them to another company who then provides them to a hosting provider who THEN rents them to a customer. Good luck.
Do most admins in other countries ignore requests to reveal source IP's when they feel it's just a vandalism and not a significant incidence?
I have known very few admins who will do any more than grumble about the annoying "abuse" emails he is getting when the sender cannot provide detailed incident analysis. Admins have NO INCENTIVE for doing your leg-work for you. In fact, they stand to lose customers if they start ratting on all of them. Frankly, most admins (this has NOTHING to do with host country) will refuse to reveal an IP owner unless it is under duress, meaning a subpoena or threat of serious financial trouble. Even then, some ISPs will fight a subpoena to protect the privacy of their users.
Does anyone here have any experience tracking down a faker such as this and could you provide any tips on how one can effectively talk to and coordinate with the ISP's at the other end?
Generally, your time is better spent securing the web server. Frankly, if this IP is always the same and is always from some foreign land, you simply need to block ALL TRAFFIC from that IP. Your annoying friend will be forced to find another proxy or they will give up. Either way is to your advantage. Eric --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Tracking down a vandalizer who's faking his IP Jon S. (Apr 24)
- Re: Tracking down a vandalizer who's faking his IP Paul Kurczaba (Apr 26)
- Re: Tracking down a vandalizer who's faking his IP Byron Sonne (Apr 26)
- <Possible follow-ups>
- Re: Tracking down a vandalizer who's faking his IP H Carvey (Apr 26)
- RE: Tracking down a vandalizer who's faking his IP Hagen, Eric (Apr 28)