Home page logo
/

basics logo Security Basics mailing list archives

RE: Tracking down a vandalizer who's faking his IP
From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
Date: Wed, 28 Apr 2004 11:26:26 -0600

Someone is vandalizing my friend's website.
When I checked the IP address, it seems like it's from another distant 
country and not much else information is provided.

Sounds like a foreign proxy server.  I'd give it a 95% chance that the IP
you have has absolutely nothing to do with the person attacking the site.


I have sent an email to the owner of that segment of IP address but haven't

heard anything for the past 2 months other than an automated reply.

First of all, IP address segments are usually sold to a company who then
leases them to another company who then provides them to a hosting provider
who THEN rents them to a customer.  Good luck.



Do most admins in other countries ignore requests to reveal source IP's
when they feel it's just a vandalism and not a significant incidence?

I have known very few admins who will do any more than grumble about the
annoying "abuse" emails he is getting when the sender cannot provide
detailed incident analysis.  Admins have NO INCENTIVE for doing your
leg-work for you.  In fact, they stand to lose customers if they start
ratting on all of them.  Frankly, most admins (this has NOTHING to do with
host country) will refuse to reveal an IP owner unless it is under duress,
meaning a subpoena or threat of serious financial trouble.  Even then, some
ISPs will fight a subpoena to protect the privacy of their users.


Does anyone here have any experience tracking down a faker such as this
and could you provide any tips on how one can effectively talk to
and coordinate with the ISP's at the other end?

Generally, your time is better spent securing the web server.  Frankly, if
this IP is always the same and is always from some foreign land, you simply
need to block ALL TRAFFIC from that IP.  Your annoying friend will be forced
to find another proxy or they will give up.  Either way is to your
advantage.

Eric

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]