Transcript IP Tracing
CSC586 Network Forensics
IP Tracing/Domain Name Tracing
IP Tracing/ Domain Name Tracing
In this lesson you will learn:
What IP address and domain name look up are
and when to use them
What IP trace is and when to use it
What IP geolocation is and how to use it
What a Proxy server is
What fast flux malware is
IP Address Background
IP addresses are managed and created by the Internet
Assigned Numbers Authority (IANA)
Large blocks are allocated to one of 5 Regional Internet
Registries :
American Registry for Internet Numbers - ARIN,
RIPE Network Coordination Centre - RIPE NCC,
Asia-Pacific Network Information Centre - APNIC,
Latin American & Caribbean Internet Registry - LACNIC
African Network Information Centre - AfriNIC
IP Address Background (2)
Public vs. Private IP Addresses
Public addresses – unique to avoid address
conflicts -used on the WAN
Private addresses – used on the LAN these are
unique within the scope of the LAN network
Private address Ranges:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
IP Address Background (3)
3 Classes of IP addresses that are typically
used:
Class A – large networks many devices
Class B – medium sized networks
Class C – small networks
IP Address and
Domain Name Lookup
What it is
Web sites allow you to enter the IP address,
or domain name and return information about
who registered the site
How to use it
Enter the suspect IP address or web site and
the registration information will be displayed
IP Address and
Domain Name Locators
Forensic use
Used to identify sites visited
Registrant information is often made up, it is often
necessary to trace credit info to obtain the owner
Examples of problems with sites are
Domain Name Squatters
Typo Squatters
Phishing
DNS Spoofing
Domain Name Locators
Web tools available:
ARIN
Sam Spade
Whois
RIPE
Many others
Domain Name Locators
Example
IP Trace
What it is
tracert tool can help you figure out the route a packet
follows to get from one place or another.
How to use it
List the fully qualified domain name after the tracert
command, the output will list the name and IP address
of the destination and all hops along the way
IP Trace
Forensic use
Traces the route the packets took
Route identifies ISP or Proxy
Route also can identify general location of suspect
IP Trace
Example
IP Trace
Tracing tools available
Command line:
XP, Windows 2000, Vista,
Windows NT
tracert
Tracert, pathping
Linux, Unix
traceroute
On Line:
NeoTrace
Visual Route Lite
CSC586 Network Forensics
IP Geolocators
What it is
IP geolocators show the location of the gateway of
the users ISP.
How to use it
Enter the suspect IP address, this will show the
location, and location details generally up to the ISP
gateway of the address
IP Geolocators
Forensic Use
Used to determine a suspects approximate location
Used to validate online sales addresses
Banking authentication process
IP Geolocators
Examples
IP Geolocators
Tools available in different granularities
Whois http://cqcounter.com/whois/
IP_address.com
Many other tools showcased at
www.tracemyspace.com
CSC586 Network Forensics
Proxy Severs
What they are
Proxy servers service client requests by forwarding requests
to other servers on behalf of the client.
Used to make web surfing anonymous
A circumventor is a proxy server that allow access to a
blocked web site through an allowed web site.
How to use them
To mask your IP address and go to a site that your
company, school, etc. doesn't allow go to www.youhide.com
and enter the website you want to go to.
Proxy Severs
Forensic Use
When a proxy server is identified in an IP
trace the Server organization must be issued
a subpoena for the user information
This information can help trace where the
user was conecting to
Information may also provide credit card and
password information
Proxy Severs
Example
Proxy Servers
Tools available
youHide.com
MySpaceProxy www.fastproxynetwork.com
Anonymous proxy www.zend2.com
Fast Flux Malware
What it is
A DNS technique that hides phishing and
malware sites behind compromised hosts
that act as proxies.
How it is used
Multiple addresses assigned to a fully
qualified domain name
Usually uses a reverse proxy
Used for Cyber Crime
Fast Flux Malware
Forensic issues:
Traditional phishing scams that compromised one or
more computer systems was relatively simple to shut
down this is not
One mothership acts as the back end which makes it
easier for criminals to manage and harder for LE to
muddle through the layers to get to it
Front end nodes may be spread across multiple
continents, and time zones which make tracking down
a malicious web site very difficult
Fast Flux Malware
The End