Network security is an integrated, complex projects, any network security measures can not be guaranteed to be foolproof. Therefore, some important sectors, once the network attack, how to track network attacks, traced to the attacker and bring them to justice, it is very necessary.
Tracing network attacks is to find the source of the incident. It has two meanings: find IP address, MAC address authentication or host name; second is to determine the identity of the attacker. Attacks in the implementation of the attack or after, will inevitably leave some clues, such as the log records, change file permissions and other virtual evidence, how to correctly handle virtual evidence is the greatest challenge to track network attacks.
In the tracking network attacks is another issue to consider: IP address is a virtual address rather than a physical address, IP address can easily be forged, the majority of network attacks by using IP address spoofing. Such attacks traced to the source is not correct. Made to discover the basis of IP address of the attacker more difficult. Therefore, some methods must be used, see through the deceptive attacker to find the real IP address of attack source.
★ netstat command - Man hit by real-time look
Using the netstat command can get all the tested host on the network connected users IP address. Windows family, Unix series, Linux and other popular network operating system can use "netstat" command.
Use "netstat" command can only show the shortcomings of the current connection, if you use "netstat" command when the attacker does not join, you can not find traces of the attacker. To do this, you can use Scheduler to build a schedule, arrange to use the system once every certain period of time "netstat" command, and use the netstat>> textfile format of the data obtained for each check written to a text file, so need Tracking the use of network attacks.
★ log data - the most detailed record of attacks
System log data provided detailed user login information. In tracing network attacks, these data are the most direct and effective evidence. However, some imperfect system log data, the network attacker will often log their activities removed from the system. Therefore, the need to take remedial measures to ensure the integrity of log data.
Unix and Linux Log
Unix and Linux, more detailed log file records the user's various activities, such as the login ID of the user name, user IP address, port number, log in and out of time, the last login time for each ID, the registry terminal, the Executive command, the user ID of the account information. This information can be provided by ttyname (terminal), and the source address, trace network attacks is the most important data.
Most of those attacks will record their activities deleted from the diary, and UOP and X Windows-based activities are often not recorded, to the Tracker difficult. To solve this problem, you can run the wrapper in the system tool, the tool records a user's service request and all the activities, and not susceptible to network attacks are found that can effectively prevent network attacks by eliminating records of their activities.
Windows NT and Windows 2000 log
Windows NT and Windows 2000 have the system log, security log and application log the three logs, and security-related data included in the security log. Security log records the login information of users. Security log data is determined by the configuration. Therefore, it should be reasonably configured according to security needs in order to obtain the necessary security to ensure system data.
However, Windows NT and Windows 2000 security log there are significant shortcomings, it does not record the source of the event, not according to the security log data to track the attacker's source address. To solve this problem, you can install a third party to complete the recording of audit data tool.
Firewall Log
As the network system "bastion host" network attacker firewall is far less likely to fall. Therefore, the firewall log data is not relatively easy to modify, its log data to provide the best attack the source of the source address information.
However, the firewall is not impossible to break, it's log may also be removed and modified. An attacker can launch denial of service attacks to the firewall, so that the firewall or at least reduce the rate of paralysis makes it difficult to make a timely response to the incident, thereby undermining the integrity of the firewall log. Therefore, before using a firewall log, it should run the special tool to check the integrity of the firewall log, to prevent the data are incomplete and waste time tracking.
★ the original data package - a more reliable method
Because the system has compromised the possibility of the host, so the attacker using the system log for information are sometimes not reliable. Therefore, to capture the original data packet and its data analysis is to determine the source of another major attack, more reliable method.
★ header data analysis
★ capture packets
In a switched network environment, packet capture more difficult, mainly because of hubs and switches in the data exchange is essentially different. Hub uses a broadcast transmission, it does not support connection, but the package is sent to all ports, except the source port, and a hub connected to all the machines can be captured by its packets. The switch supports end to end connection, when a packet arrives it switches to establish a temporary connection, the data packets transmitted through this connection destination port. So, get caught in the exchange environment is not an easy task. In order to obtain the packet exchange environment, you can use the following to resolve:
(1) to switch to a "spanning port" (build-port) configuration imaging as a hub through which port the packet is no longer with the destination host to establish a connection, but to send broadcast to give this port connected all machines. Set up a packet capture host, they can capture through "spaning port" packets. However, at the same time, the switch can only be a port is set to "spanning port", therefore, can not simultaneously capture multiple hosts packets.
(2) switches, or between routers and switches, install a hub between. Packets through the hub can be captured host capture.
Get used to capture packets in the attacker's source address of the method, there are two problems that require attention: first, ensuring the host from the packet capture enough storage space, as if to capture packets in the network throughput is very large, very hard will be filled soon; Second, in analyzing the data packet, it can automatically analyze the preparation of a small, hand analysis of so much data is impossible.
★ 搜索引擎——也许会有外的惊喜
利用搜索引擎获得网络攻击者的源地址,从理论上讲没有什么根据,但是它往往会收到意想不到的效果,给追踪工作带来意外惊喜。黑客们在Internet上往往有他们自己的虚拟社区,他们在那儿讨论网络攻击技术方法,同时炫耀自己的战果。因此,在那里经常会暴露他们攻击源的信息甚至他们的身份。
利用搜索引擎追踪网络攻击者的IP地址就是使用一些好的搜索引擎(如搜狐的搜索引擎)搜索网页,搜索关键词是攻击主机所在域名、IP地址或主机名,看是否有贴子是关于对上述关键词所代表的机器进行攻击的。虽然网络攻击者一般在发贴子时会使用伪造的源地址,但也有很多人在这时比较麻痹而使用了真实的源地址。因此,往往可以用这种方法意外地发现网络攻击者的踪迹。
由于不能保证网络中贴子源地址的真实性,所以,不加分析的使用可能会牵连到无辜的用户。然而,当与其方法结合起来使用时,使用搜索引擎还是非常有用的。