Extreme IP Backtracing

Presented at DEF CON 10 (2002), Aug. 2, 2002, 3 p.m. (50 minutes).

A prudent System Administrator will review system logs. While performing this log analysis, administrators may detect nefarious activity of various types (port probes, exploit attempts, DOS/DDOS). Of course, what you receive in the system logs doesn't contain the offender's name and telephone number. Rather, most Firewalls and Intrusion Detection Systems will log an IP address, or at best, a reverse DNS lookup of the IP address. This presentation outlines several "Road-Tested" techniques for tracing IP addresses back to a responsible party. Included are many real-world examples from our research; Step-by-step traces ranging from the trivial to the impossible.


Presenters:

  • Jaeson Schultz
    Jaeson Schultz is an independent security consultant specializing in log analysis and intrusion detection. He has accumulated over 14 years experience programming and troubleshooting networks for various governmental and corporate organizations. Formerly employed by Counterpane Internet Security, Jaeson spent the last two years monitoring the security of Fortune 1000 companies and performing Security and Software Engineering. While at Counterpane, Jaeson helped to identify the networks responsible for the thousands of alerts received at the Counterpane Secure Operations Center per day.
  • Lawrence Baldwin
    Lawrence Baldwin is an independent Network Performance Consultant and author with over 15 years experience in deep protocol analysis and troubleshooting mission-critical networks and applications for Fortune 500 companies. In 2000, Baldwin developed and deployed one of the first Internet "neighborhood watch" systems known as myNetWatchman (mNW). mNW is a distributed IDS (dIDS) that uses the collective awareness of thousands of cooperating participants to identify compromised hosts and notify compromised machine owners. In an average day, mNW processes more than 1,000,000 events from a global sensor network of more than 1,300 firewall and IDS systems in 40 countries. mNW analyzes and back traces event activity from 50,000 unique hosts per day, identifying compromised hosts and sending e-mail notifications at a rate of approximately one per minute. The data collected by mNW enables analysis of global attack trends, identification of DDoS bot assimilation activities, and signature-independent detection of new worm activity.

Links:

Similar Presentations: