First, these cautions:
a) Source IP addresses can be spoofed. That is, the real source IP address is not necessarily the source IP address reported.
However, if the source IP address is spoofed, replies go back to the computer at the spoofed-source IP address instead of the real source. This often happens with Denial of Service (DoS) attacks.
b) The computer at the source IP is often a zombie. That is, it is owned by another victim and is under remote control by a hacker. Or, the computer at the source IP may be a victim of a virus.
c) The computer at the source IP address may simply be misconfigured or may be attempting to reconnect with the computer that used to have your IP address.
In any of these cases, the computer at the reported IP address is owned by another innocent person. That said, they will generally appreciate being politely notified if research shows that they “seem to have a security problem.”
2. Some IP addresses are reserved for special use and are “non-routable” on the Internet (they have “bogon prefixes”). You cannot look up these IP addresses because they have no meaning on the Internet, just on LANs or individual computers.
However, some ISPs, notably Hughes Satellite, protect their customers by placing them behind NAT routers, so customers will see other customers as having non-routable IP addresses.
If your ISP does this, a non-routable IP address can be originating with another customer of your ISP. While you won’t be able to directly determine which of their other customers had a given non-routable IP address at a given point in time, your ISP should be able to.
The main ranges of these IP non-routable addresses are:
10.0.0.0 – 10.255.255.255 (LAN)
172.16.0.0 – 172.31.255.255 (LAN)
192.168.0.0 – 192.168.255.255 (LAN)
127.0.0.0 – 127.254.254.254 (loop back – lets one process on a computer talk to another)
More bogons are here:
»www.completewhois.com/bogons/dat···iana.txt
Some IP address ranges have special uses, which are noted here:
»ftp://ftp.rfc-editor.org/in-notes/rfc3330.txt
3. You can look up routable IP addresses at any of these whois sites:
www.dnsstuff.com
www.broadbandreports.com/whois
www.centralops.net/co/ Domain Dossier
www.samspade.org IP whois
You can check to see if myNetWatchman and DShield participants are seeing events from the same source IP address here:
www.MyNetWatchman.com see Look Up Incidents by IP Address.
www.DShield.com see Submit.
4. Often the email addresses in the whois are out-of-date. You can generally email the administrator of the domain by emailing: abuse@, wanabuse@, cirt@, cert@, antispam@, postmaster@, admin@ or info@xxxxxx.yyy, where xxxxxx is the domain and yyy is the top level domain (tld: .com, .org, .co.uk, whatever).
5. You can research the associated ports from the links here:
/faq/8226 (Why am I being probed on port XXX?)
»isc.incidents.org/ (isc.incidents.org/)
6. If you’re stuck, feel free to post what information you have been able to gather in the BBR Security Forum and let us know your question. Be sure to give the full port description: port number and protocol (TCP or UDP) and both IP addresses. For security, it is a good idea to disguise the last 2 parts of your own IP address (123.123.xxx.xxx).
/forum/security,1
Additional links:
Firewall forensics:
»www.robertgraham.com/pubs/firewall-seen.html
»www.neohapsis.com/neolabs/neo-ports/
»www.sans.org/rr/papers/27/652.pdf
»www.cert.org/archive/pdf/03tr001.pdf
»www.cert.org/security-improvemen···046.html
Recent changes:
2005-01-09
- Removed dead link to bankes.com.
- Added links to mynetwatchman.com and dshield.com to part 3.
 feedback form
 feedback form
by keith2468  edited by JMGullett
last modified: 2007-06-06 16:09:55 |
