Hello all!

So I run an FTP server out of my apartment for private use and of course, I get all kinds of brute force attempts from the world at large. I know I can simply block these attacks and report them, but thats boring. How could I go about getting any information on who the attacker really is? What methods does law enforcement use to figure these things out? Not that I would actually use it to prosecute...more of a boredom thing.

Getting a real name can be hard, except if you ask the internet service provider for it (they won't tell you, but law enforcement can ask for the data).

What you can do is to use the IP address with an "ip locator" to find the approximate region, where the attacker comes from (or wants you to believe so). Another possibility is to do a reverse DNS lookup on the ip address. The names can tell you something. In some cases you can find out from what network the attack cames from (e.g. dailup, university network, country, ...).

You can also use traceroute or nmap to get more information on the attacker. Also try ping with option -t. Using this technique you will eventually find out the country/network the attack originates.

Except in lucky cases you will not get much information with this methods (especially not the address/name). For this you need the help of the isp.

And that gets you what? The chances that anybody other than a complete noob skiddie would use their own computer for an attack has got to be close to nil. In most cases, you're just going to find another compromised machine.

In general trying to track the bad guys is pretty much a waste of time. Law enforcement can figure it out because they can compel cooperation from the ISPs and the owners of compromised machines.

2 members found this post helpful.

In most cases professional attackers will use at least one, if not a chain of proxies to pass the request through - so chasing the IP is usually fruitless as far as catching the culprit. Abuse reports to the IP owner vary in effectiveness, but for each proxy you shut down, there a billions waiting in the wings. Chasing offenders becomes the task for a 'busy fool' and it's just going to get you hot under the color with how powerless you are.
It makes better sense to spend time on good security practice. Thinks like rate controlling connections, Limiting the number of log-in attempts, strong passwords, ACL's that limit access to certain IP's, firewall hosts from places you don't want to connect (China, Brazil etc) and grow to accept people will always try the door. You just need to make sure you have it locked :-)

From time to time you'll find kiddies who are not using proxies come to you playing with nmap, hydra and metasploit etc. This is where a call/mail to the ISP does reap rewards. In the UK SKY & BT are very effective at terminating such users and I'm sure there are US suppliers who are equally aggressive at dealing with it.

1 members found this post helpful.

Be careful here. Some ISPs are savvy enough to know when an nmap scan is being conducted and many ISP have such tools/activity listed as 'do not use'. Better to check your AUP/ToS for your particular ISP first than find yourself shut down because you thought nmap was a benign tool.

Just my 2 cents.

2 members found this post helpful.

just log all the IPs and report to the ISP abuse@ department, and maybe they will take care of it.