Summary

This chapter covered important issues related to tracing incidents. We delved into what tracing network attacks means and involves, namely finding the source (usually in terms of the identity of a host or IP address) of an attack. Tracing network attacks is not synonymous with tracing network intrusions; many attacks other than intrusions occur. It is important to put attack tracing in proper perspective, paying particular attention to issues such as what your organization's policy is regarding tracing attacks. A number of organizations have a policy that specifies that attacks must not (except perhaps in extraordinary circumstances) be traced. Considering other issues such as costs versus benefits, available resources, the number of ongoing attacks and the priority of dealing with each, and so forth is essential.

Various methods are available to trace the source of attacks. These methods include search engines (to try to find postings that contain information about attacks that have occurred), the netstat command (which shows current connections), log data (particularly from systems and firewalls), data from intrusion detection systems, and raw packet data.After you obtain a candidate source IP address, you can send email to abuse@<address> or possibly root@<address> , although the attackers might get your messages instead if they have obtained superuser-level access. Use dig /nslookup to reverse map the identified source IP address into a domain name , whois to discover to whom a machine is registered (as well as possibly other information), ping to determine whether a host is alive , and traceroute or tracert to identify intermediate hops over which traffic travels between the victim host and the possible source of the attack.

Attack paths can be constructed using either the direct trace method (a real-time or near-real-time method to trace connections back to their source) or the indirect trace method (which has no real-time or near-real-time element). Attacker signatures (such as the particular tools installed, keystroke errors, and so forth) can also be useful in filling in missing pieces of information. Tracing attacks is usually difficult and time consuming, especially when the attacker's route includes multiple intermediate hosts , so it is important to make wise decisions and always keep what you are trying to do in proper perspective. Adhering to your organization's policy concerning attack tracing and investigations is essential.