minitutorials main logo the place to learn online

Sponsor This Site!
Sponsorship Details - miniTutorials is taking enquiries into various Sponsorship opportunities. Available NOW! Read More on our Sponsorship page.
Discussion Forums
visit the mini tutorial forums
For expert help and advice on any of our Tutorials or anything else .... visit the forums and ask away!!

Last Five Posts :-


Warning: include() [function.include]: open_basedir restriction in effect. File(/var/virtual/web/w1785/cgi-bin/db.php) is not within the allowed path(s): (/var/kunden/webs/w0003/:/tmp/:/var/www/syscp/:/var/www/roundcubemail-0.2-beta/:/usr/share/phpmyadmin/:/etc/phpmyadmin/:/dev/:/var/kunden/webs/:/var/lib/php5/:/etc/apache2/sites-enabled/) in /var/kunden/webs/w0003/archives/rightbar_archives.ssi on line 21

Warning: include(/var/virtual/web/w1785/cgi-bin/db.php) [function.include]: failed to open stream: Operation not permitted in /var/kunden/webs/w0003/archives/rightbar_archives.ssi on line 21

Warning: include() [function.include]: Failed opening '/var/virtual/web/w1785/cgi-bin/db.php' for inclusion (include_path='.:/usr/share/php:/usr/bin') in /var/kunden/webs/w0003/archives/rightbar_archives.ssi on line 21

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/kunden/webs/w0003/archives/rightbar_archives.ssi on line 24

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/kunden/webs/w0003/archives/rightbar_archives.ssi on line 27
Click on a Topic Title
Google Ads

Firewalls & Security

web design logo

 

Firewalls

 

Under the Bonnet of your Firewall - Part 4

...playing Sherlock Holmes?

Part 4- Page 1

 

 

Part 4
Playing Sherlock Holmes
Using logs, whois, DNS, tools Sam Spade, websites, VisualRoute, synchronising time, sending a complaint

In this part we are going to take the monitoring process a few steps further on. What if you feel that you have been on the receiving end of an attack and want to respond? The most realistic way to do this (without landing yourself in trouble) is to gather information about the attacker and then register a complaint with their ISP. To demonstrate some of the tools and techniques available I'm going to give an example of an investigation. Note, the examples I use are oriented towards people using Windows machines. Linux users have access to many similar (and often more powerful) tools. At the end of the article is a summary of the techniques and tools used, and some additional links.

Using DNS
One day I noticed in my firewall logs repeated attempts to connect to port 80 from a computer with an IP address of 211.117.106.92. I decided to try and find out who was probing. The first tool I usually turn to on such occasions is Sam Spade, a veritable swiss army knife of a program, and free to boot. Available from www.samspade.org, if you're even vaguely interested in the workings of the Net get it. I did a DNS lookup. The Domain Name Service (DNS) is the mechanism by which IP addresses get turned in to human memorable names such as www.samspade.org and vice versa. When you type a website address in to your browser, for example, it does a DNS lookup on your ISP's DNS server and hopefully gets an IP address back for the requested website. Doing a reverse lookup (IP to name) is a good first step in an investigation. When I did the lookup for the attacker I not only didn't get a name, I got rather a strange response: 'Nameserver has a problem and can't talk right now'.

Whois
The next tool I tried, again via Sam, was a whois lookup. whois servers are run by the companies that register domain names and blocks of IP addresses as being owned or used by individuals and companies. Heres a whois lookup of open.ac.uk:
whois -h whois.ja.net open.ac.uk ...

Domain Name: open.ac.uk
Registered For: Open University
Domain Registered By: JANET
Record updated on 01-Sep-2002 by naming-admin@ukerna.ac.uk
Delegated Name Servers:
DNS0.CRANFIELD.AC.UK
MERCURY.OPEN.AC.UK
NS4.JA.NET
PANGLOSS.OPEN.AC.UK
VENUS.OPEN.AC.UK
Domain contact: hostmaster@open.ac.uk

equally you can do a whois lookup for an IP address to find out who it has been assigned to. Doing a whois lookup of 137.108.143.49 gives us:

10/28/02 22:27:30 IP block 137.108.143.49
Trying 137.108.143.49 at ARIN
Trying 137.108.143 at ARIN
OrgName: Open University
OrgID: OPENUN-1
NetRange: 137.108.0.0 - 137.108.255.255
CIDR: 137.108.0.0/16
NetName: OPEN-UNI
NetHandle: NET-137-108-0-0-1
Parent: NET-137-0-0-0-0
NetType: Direct Assignment

telling us that the address comes from a block of addresses, 137.108.0.0 - 137.108.255.255 which have been assigned to the OU. Getting back to our attacker the whois lookup was not as helpful as I had hoped since it returned:

Trying 211.117.106 at ARIN
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
NetRange: 210.0.0.0 - 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC

ARIN is the authority that assigns IP addresses to organisations in Asia so this tells us very little.


[ Back to Part 3 ] - [1][ 2 ][ 3 ][ 4 ][ 5 ][ 6 ] - [End of Article]

 

About Us | Site Map | Privacy Policy | Accessibility |Contact Us | ©2003 - 2006 miniTutorials.com