RE: Traces

[Fernando Gont <fernando () gont com ar>]

At 15:59 05/01/2004 +0100, Meidinger Chris wrote:

> Coorelating TTL is how the hunt for timex.0 at sans was set up. It was
> unsuccesful.

As I said in another e-mail, whether you find this method useful or not, 
depends on the scenario.

Besides that, I don't think that Chris Brenton's proposal means the hunt 
was unsuccessful. Routes may be asymetric.


> You would then need heavy cooperation from the operators of the router or
> from the ISP to which it belongs to find a person. By which point the script
> kiddy's mother has probably called him to dinner, and he's logged off
> anyway. This forces you to unfreeze time and let him eat dinner and come
> back to his computer, then log back into a different ISP...

You could probably ask the network administrator to do egress-filtering, so 
that they don't have people launching DoS attacks from their networks.


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------