LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-09-2007, 05:54 AM   #1
arkaan
LQ Newbie
 
Registered: Mar 2007
Posts: 9

Rep: Reputation: 0
How to trace the attacker?


(This is a reference to http://www.linuxquestions.org/questi...44#post2698444 )

Hello folks, as the topic say Im searching a way to trace down the attacker, who is still attacking my website with some kind of DoS-attack.
I was never able to block the attacks in any way, so I decided that I will try to keep him blocked out of the system, but for that task I need his ip-address.


Does any of you have a clue/script that easily would reveal the attacker?
 
Old 04-09-2007, 07:01 AM   #2
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556
Are you running Apache by chance? Either way, either in apache server-logs, OR in your iptables logs (whatever you are using that logs connections/traffic) you should be able to identify, or atleast narrow down, the IP address(es) of the offending party, based on the connection time vs attack time.
Then use perl traceroute.pl and whois.sc (called 'domain tools' now) to identify what ISP & country the attacker is coming from.
Copy the information, and forward it to the offenders ISP, explaining the situation.
You personally will likely not be able to pin it down to ONE COMPUTER, but rather an ISP address pool and associated servers, and country.
In my limited experience, it can be VERY tiresome to try to block one single attacker from afar by using one IP address; instead, it is sometimes necessary to block an entire IP pool, or an entire country.
 
Old 04-09-2007, 08:02 AM   #3
arkaan
LQ Newbie
 
Registered: Mar 2007
Posts: 9

Original Poster
Rep: Reputation: 0
What should I do if the attacker uses proxy? - And how do I find out if he does / does not
 
Old 04-09-2007, 08:49 AM   #4
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556
I don't know about that, good question. But, by using traceroute, you can generally get the name/IP of any/all hops along the path from your server to the endpoint. Even a proxy server has an IP address.
With anonymous proxies, or hijacked proxies, you probably will not be able to identify proxies as proxies, but can still identify the server locale and IP.
For example, if someone is using another legitimate server/service illegally or fraudulently as a proxy, let's say a server at UCLA university, then that's what you will see---UCLA server.
As far as indepth discovery of each and every server, and whether they are actual proxies or not, is pretty much for the authorities to figure out. You would provide whatever information and IP information you have, to the ISP's who administer the IP's, and it's really up to them to do anything about it. It is, after all, illegal to abuse internet servers/services for purposes like this, but the average victim like yourself doesn't have the resources to pursue it themselves.
As mentioned, it's pretty difficult to get a whole lot of useful information with which to take effective action.
Also, as in the thread you linked to, one would think there would be a VERY effective method using iptables and syncookies, or some other technology, to pretty much eliminate DoS attacks.
 
Old 04-09-2007, 11:10 AM   #5
arkaan
LQ Newbie
 
Registered: Mar 2007
Posts: 9

Original Poster
Rep: Reputation: 0
Okay now, you see if have a big problem finding the correct ip.

I need a tool that can scan my log, searching for ip's that has connected a lot of times in a row, or something like that.

Is that something you have/know where to get?
 
Old 04-09-2007, 11:30 AM   #6
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556
Unfortunately I do not know exactly how you would do this. The last server admin I helped with this issue was on a very NON-busy server. My own website was defaced, and by the filetimes of the modifications to files in my root directory, crossreferenced with the Apache logs, we were able to pin it down to one IP address out of Amsterdam relatively easily. On a bigger or more busy system, the problem obviously is harder.
But you are on the right track to start with. If it is a Syn-flood sort of thing, you would have to find in the logs a large quantity of packets of whatever type (syn's with no ack/syn's I guess) which arrived in short order, just before the time of the overload.
Using something like 'fwlogwatch' combined with iptables, you can dynamically alter the iptables rules when an attack commences, but how to do this is beyond the scope of my knowledge/ability. You could use 'fwlogwatch' to scan the logs though, as it is very configurable, and reads a variety of standard log types, including Apache logs. I run it by crond, not because I have any MAJOR concerns, I don't even run a server, but I use it to look for crap or suspicious traffic on my LAN, which (lol) I never get
You can find 'fwlogwatch' on sourceforge, or softpedia, and/or using Google, if you're interested.
 
Old 04-09-2007, 01:14 PM   #7
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
offending IP

Alas, you may not finger the actual perp, in fact you usually don't. ISPs are frequently spoofed. The best bet is you actually do find a compromised server somewhere that is the offending party. But then it's not actually the ISP that's the problem, except to the extent their servers are insecure. It would still be a third party doing the dirty work.

If you see addresses originating from China, there is a slightly better outside chance you're looking at the correct IP, of a server that's hijacked. I recall reading that security and basic configuration of servers is a bit of a black art over there. But I have yet to find such to be the case, no doubt near everything like this is spoofed from the outset.

Better is set an iptables rule to drop packets from the offending IP. Smoothwall uses iptables, and gives you a very convenient GUI to handle such things. I highly recommend everyone get behind a smoothwall.

I routinely see odd traffic on my servers, wireshark shows the offending IP in a heartbeat, and iptables rules drop the suckers just as soon as I can get the rule written. (which again is done easily with the GUI provided by smoothwall)

Shorewall, guarddog and similar allow you to manipulate iptables on the host you're using. Not much familiar with these, just touched guarddog for the first time this week. Perhaps someone with more experience with these tools can chime in and tell us all if dropping a specific IP is doable with them.

cat
 
Old 04-10-2007, 06:39 PM   #8
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Rep: Reputation: 55
Spend a few pounds and get a hardware router or firewall box like I said in your original post. If you waste all your time tracking down every script kiddie you won't have time to ask any more questions on the forums. Do you want to spend the rest of your life adding IP rules for every idiot who tries to hack you? Just get a router and be done with it.

Last edited by Randux; 04-10-2007 at 06:54 PM.
 
Old 04-10-2007, 09:05 PM   #9
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
Have you even looked at your Apache logs? The IP is pretty obvious in there.
 
Old 04-10-2007, 09:31 PM   #10
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
Quote:
Originally Posted by Matir
Have you even looked at your Apache logs? The IP is pretty obvious in there.
If this is a DDoS attack (and it is, if the attacker has 1/2 a clue), then the IP's listed in whatever logs on the victim's machine will contain only hijacked machines that are being used as "go-betweens" to cause all of the damage. To find the real ip, you need to a) track down those machines and request access to them, b) get access to the machines, c) pray the attacker overlooked something (rootkit doesn't properly hide itself, a sniffer like tcpdump or wireshark catches a live interaction between the attacker and the compromised machine), d) repeat steps a - c until you get back to either the attacker's machine, or (in some cases) a password protected "bot channel" on some obscure IRC network.

This is why most DDoS attacks against individuals are never resolved, and against major governments or corporations are *rarely* resolved.

edit - I'd have to agree with Randux here...dump a few dollars/pounds/yen/whatever and get a decent router/firewall, or another machine running Smoothwall or IpCop (as catworld stated), or "roll your own" with OpenBSD and pf. Don't waste time trying to hunt the dude down...you'll hit brick walls and the like until you run out of time or money or interest.

Last edited by rocket357; 04-10-2007 at 09:34 PM.
 
Old 04-11-2007, 06:24 AM   #11
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
I was only suggesting that it might be a DoS of limited scope... some script kiddies are stupid enough to run things off their own computers, and there might be a single Class C that is blockable. You never know.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
attacker on same subnet? LQ? Linux - Security 7 10-18-2005 11:55 PM
finding an attacker loganwva Linux - Security 7 09-03-2003 10:52 PM
How about this attacker? pe2338 Debian 5 09-03-2003 05:43 AM
Trace hacker? mikeshn Linux - Security 8 04-17-2003 01:30 PM
A buffer overflow attack gains an attacker an advantage when comprised by setuserid a adamrau Linux - Security 2 12-20-2001 01:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration