RE: Traces

["Shawn Jackson" <sjackson () horizonusa com>]

        Sorry, I can't think of any off hand. But I'll try and give you
a little information, if it helps at all. Depending on the type of
attack, how you will trace varies. In example, if you're suffering from
a DDoS attack, the chances that the originating IP address are that of
the initiator of the attack are slim to none. Additionally if it's a
no-response attack, (Syn Flood, teardrop) the return path address in the
IP header is most likely forged seaming they don't require return
traffic.

        If you are actually being hacked, by anyone good, they will be
tunneling their traffic through ghost-nodes, or in non-me-speak slave
systems. These systems allow a hacker to tunnel traffic through them to
mask their originating IP address; they will usually have a few of
those.

        Thank goodness that the vast majority of attacks are virii and
script kiddies. These types of attacks don't cover their originating IP
address. Now, some 'facieses-throwing-semi-intelligent' script kiddies
will use a proxy server (either a public or unsecured proxy) to launch
their 'attack'. For them, track down the proxy and contact the owner.
Even default unsecured proxies will log some IP/Access/Usage
information. Get the IP and track down the netblock owner. Traceroute,
DIG and WHOIS are great tools for this. Once I got my 'suspect' I run a
scan against them, usually NESSUS or NMAP or LANGuard and see if I an
garner any more information. 

        If you worried about an attack, or are just starting to suffer
from one setup a SNORT Net-IDS box just behind your firewall, next to
your DMZ servers and one outside your firewall or important end points.
Personally I log all information from those servers back to a central
database and run ACID on a server to view the information. This allows
me to see the packet headers and payload which is very helpful when
tracking an attack down.

        The one tip I can give you is LOG, LOG and LOG some more. When I
have all the 'evidence' I need, from logs, IDS, external sources
(proxy/systems/network owners) I contact their ISP/Netblock owner and
file a complaint then supply them with the logs/information I've
obtained. 

        If you are suffering from an attack or have a 'specific'
question feel free to drop me an email and I'll try to help you out. I
hope any of this has been useful. 

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Gerson Sampaio [mailto:rootbit () yahoo com] 
Sent: Tuesday, December 16, 2003 11:58 AM
To: security-basics () securityfocus com
Subject: Traces

Hi list,
is there any paper / site on hiding traces of an
attack. How to discover a real source of an attacker ?

TIA

__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------