Computer Forensics: Investigating Network Intrusions and Cyber Crime by EC-Council

Author:EC-Council [EC-Council]
Language: eng
Format: epub
Published: 2011-12-10T23:09:20+00:00

5-10

Chapter 5

Copyright © by

All rights reserved. Reproduction is strictly prohibited

Figure 5-3 This reverse trace can identify an attacker, even when using reflectors.

logs, an investigator can identify the various attacks that are generated by the attacker. An investigator can trace packets to follow the appropriate path of a packet. It includes reconfiguration of routers and verifying log information.

ICMP Traceback

ICMP traceback messages are used to find the source of an attack. The messages contain the following:

• Router’s next and earlier hops addresses

• Time stamp

• Role of the traced packet

• Authentication information

While passing packets through the network path from the attacker to the victim, routers within the network path will test some packets and then send ICMP traceback messages to the destination. The victim may hold sufficient messages to trace the network path from the attacker to the victim. The disadvantage of this aspect is that the attacker can send fake messages to misguide the victim.

Modification should be involved in the ICMP traceback message when reflectors are introduced to deal with DDoS attacks. According to Figure 5-3, attacker A3 will send TCP SYN segments to the reflector H3 specifying V as the source address. In response, H3 will send SYN ACK segments to the victim V. This reverse trace allows the victim to identify an attacking agent from trace packets. This method depends on attacking agents and not on reflectors.

Hop-by-Hop IP Traceback

Hop-by-hop IP traceback is a basic method for tracking and tracing attacks. This method is available for tracing large, continuous packet flows that are currently in progress, such as those generated by ongoing DoS packet flood attacks. In a DoS flood attack, the source IP addresses are typically spoofed, so tracing is required to find the true origin of the attack.

For example, assume that the victim of a flood attack has just reported the attack to his or her ISP. First, an ISP administrator identifies the ISP’s router closest to the victim’s machine. Using the diagnostic, debugging, or Investigating DoS Attacks

5-11

logging features available on many routers, the administrator can characterize the nature of the traffic and determine the input link on which the attack is arriving. The administrator then moves on to the upstream router.

The administrator repeats the diagnostic procedure on this upstream router, and continues to trace back-ward, hop-by-hop, until the source of the attack is found inside the ISP’s administrative domain of control (such as the IP address of another customer of the ISP) or, more likely, until the entry point of the attack into the ISP’s network is identified. The entry point is typically an input link on a router that borders another provider’s network. Once the entry point into the ISP’s network is identified, the bordering provider carrying the attack traffic must be notified and asked to continue the hop-by-hop traceback. Unfortunately, there often is little or no economic incentive for such cooperation between ISPs.

Limitations of Hop-by-Hop IP Traceback

Hop-by-hop IP traceback has several limitations, such as the following:

• Traceback to the origin of an attack fails if cooperation

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.