What Does Tracing Network Attacks Mean?

‚  < ‚  Free Open Study ‚  > ‚  

"Tracing network attacks" can have different meanings, depending on the context in which this term is used. At a minimum, it means discovering the origin of incidents that occur. In most (but not all) cases, this minimally implies finding the IP address, the media access control (MAC) address, [1] or the hostname from which the unauthorized activity originated. At the other extreme, it means determining the identity of the attacker(s).This chapter focuses on determining the origin in terms of address or hostname. Chapter 11,"The Human Side of Incident Response," focuses on pinpointing the identity of perpetrators.

[1] The media access control address is the physical address of a host. The MAC address is put into each network interface card.

In the case of insider attacks in which a perpetrator has gained physical assess to a particular system or network device or hardware component, tracing the attack to its origin is not nearly as much of a challenge as identifying the perpetrator. Insiders often leave some kind of physical evidence (such as fingerprints , their appearance captured by cameras , hair strands, and so on) that indicates they have physically accessed one or more systems or network devices, or at least the physical area in which the systems and/or network devices have been placed. Insiders might also leave virtual evidence, of course, such as log entries, file permission changes, and so forth. By "virtual evidence," we mean evidence related to processing activities, memory contents, system configuration, packet data, and other nonphysical indications of computing and networking activities. A major difference between tracing internal and external attacks, however, is the fact that virtual evidence typically is the only evidence available when network attacks occur. The necessity of dealing with virtual evidence instead of physical evidence is, in fact, one of the greatest challenges of tracing network attacks.

Another important consideration in tracing network attacks is the fact that IP addresses are virtual addresses, not physical addresses. Media Access Control (MAC) addresses are physical addresses that are stamped into network interface cards (NICs), but IP addresses are not. Network services such as DNS translate IP addresses into hostnames (and vice versa), but IP addresses are not "locked into" [2] Internet-connected hosts . As such, these addresses can readily be spoofed. Furthermore, the use of Dynamic Host Configuration Protocol (DHCP) and dynamic ISP addresses results in the assignment of different IP addresses to the same machine at different times, making determining the origin of a network attack on the basis of IP address even more difficult.

[2] Assuming you have sufficient privileges, try entering ifconfig in UNIX and Linux systems, ipconfig in Windows NT and 2000 systems, and winipcfg in Windows 9X systems. You can specify the IP address for a host. Note also that for nonlocal IP addresses, the MAC address will be the router's IP address.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net