Tip

Identifying attackers

Administrators know when they get hacked, but they often don't know whodunit. And if you're one of the zillions of people running personal firewalls to protect your Windows desktop from Internet-based attackers -- in a home office or a small branch office, say -- then you've probably noticed that you do get scanned and attacked on a fairly regular basis (assuming you're not behind a firewall). Most Windows users' first reaction to a scan or attack is surprise and fear, but assuming their personal firewall thwarted the attempt, this reaction quickly turns into curiosity. Who was it that attacked you? Why did they attack you? Where are they from?

These are difficult questions to answer, but there are some great sites designed to give you a hand trying to trace someone through the Internet. An example of just such a site can be found at users.rcn.com/rms2000/sleuth/index.htm. This site contains everything from simple tools like tracert and WHOIS to links to search for user accounts on Amazon and Ebay. Another popular site for detective work is www.samspade.org.

However, if you decide to go investigating, keep these tips in mind:

Attackers frequently try to cover their tracks by breaking into someone else's computer so that they can launch their attacks without a clear trail back to their own computer. This is similar to someone stealing a car to rob a bank because it's more difficult to trace. The important thing to understand is that the owner of that computer probably has no idea he's being used as a launchpad for an attack.

There is now quite a bit of case law regarding gathering computer evidence. You might be surprised how many hoops you have to jump through to get your log files admitted as evidence. A quick search on "computer forensics" will turn up more than you ever wanted to know about this topic. So even if you find your target, the information won't do you any good unless you followed the rules.

Understand the tools you're using. Many of the tools you'll find are effective and harmless, but their use may violate laws or the terms of service for your ISP.


Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in May 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.