How do security experts determine the source of a cyber-attack?
January 12, 2010 8:27 PM   Subscribe

Not all hackers are smart enough to cover up their tracks. And compromised machines can in turn be compromised again.
posted by Chocolate Pickle at 9:13 PM on January 12, 2010

I imagine there are steps during which the ping-time becomes obvious; that probably helps determine if it is domestically sourced.
posted by gensubuser at 9:23 PM on January 12, 2010

There's a bunch of things you could use. An admin has no problem tracking the source and destination of every packet going into or coming out of the machine. Netstat can do that, as can wireshark. You could also jigger up iptables to do some of this. If you own the network, you can also place capture points on the box that feeds the compromised machine the network connection (the router or switch) and can thus trap every packet before it goes into the box or after it leaves, making your counter spying transparent. The admin of a compromised box has all the advantages as he owns the surrounding network too. Admins can also use the attackers bag of tricks against them by customizing the attackers tools (essentially creating trojans).

All you really need to determine point of origin is the IP address, usually.

There are plenty of stories out there about capturing attackers. Google can find them for you.
posted by chairface at 9:47 PM on January 12, 2010

For a good read, try Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It. It's full of details and techniques.
posted by exphysicist345 at 10:00 PM on January 12, 2010

All you really need to determine point of origin is the IP address, usually

It's not hard to route an attack through multiple previously-compromised machines, for just this reason. Cliff Stoll describes this in The Cuckoo's Egg, for example, and that's from 1989.
posted by hattifattener at 10:57 PM on January 12, 2010

The question mentions, "(e.g., by tunneling through compromised machines in a dozen different countries)", so we have that covered.

I have no inside information, but I would guess that the "from China" mentions are simply based on the IPs of the machines from which the attacks were launched. I find it highly unlikely that Google would be able to unwind a path through compromised machines. That level of access to logs, which may not even exist, at random ISPs in random jurisdictions would be incredibly hard to come by. Tracing the path by "re-compromising" the machines along it is a possibility, but that would also be very difficult, and a sophisticated attacker could harden the machines after compromising them, making "re-compromise" impossible.

If the attacks are coming from machines in China, there are two possibilities:

1) The attackers are in China. Perhaps they don't care whether they're traced. If they're sponsored by the government, well, they're not going to get in trouble with any authorities there. And the Chinese government can always pull out the "compromised machines" and foreign agents defense with plausible deniability. Or perhaps they're not competent enough to route everything through a chain of compromised machines, so they do things directly.

2) Non-Chinese attackers have been repeatedly framing China by launching attacks from compromised machines in China.

I'd say 1 is more likely.
posted by whatnotever at 12:10 AM on January 13, 2010

I'd note that "Takedown" is of questionable informational value.
posted by Pronoiac at 2:10 AM on January 13, 2010

All you really need to determine point of origin is the IP address, usually.

Which will likely be spoofed if you're being hit with a UDP flood.
posted by one more dead town's last parade at 6:18 AM on January 13, 2010

On second thought, that's more a denial-of-service tactic. Still, the point above stands. And I wonder how feasible it is to remotely control an intermediate attacking machine with UDP packets and thereby avoid revealing your actual location.
posted by one more dead town's last parade at 6:21 AM on January 13, 2010

"The point above" being not my point, but the one about routing the attack through other compromised machines.

I think I need to go make some coffee before talking any more about computers.
posted by one more dead town's last parade at 6:23 AM on January 13, 2010

Many attacks these days involve a combination of software vulnerability and social engineering making it likely that crackers will stay within their social backyard. Bad cross-cultural pitches tend to raise red flags.
posted by KirkJobSluder at 7:41 AM on January 13, 2010

I find it highly unlikely that Google would be able to unwind a path through compromised machines. That level of access to logs, which may not even exist, at random ISPs in random jurisdictions would be incredibly hard to come by.

You don't need to access the actual compromised machine, just the network surrounding it, which belongs to the ISP. With a little bit of skill you can easily correlate Google-bound traffic with attacker-bound traffic without ever touching the actual compromised proxy host. A corporation the size & influence of Google would have little trouble gaining the cooperation of most ISPs up to the final leg in China. Some of them will require law enforcement involvement but many won't. Logging & monitoring capabilities will be uneven depending on the ISP but with enough traffic what you miss at one connection you can pick up at another. The network is everything; own the network, own the system.
posted by scalefree at 11:51 PM on January 13, 2010

Tracking GhostNet (scribd, PDF, long, detailed) has some of the details on this kind of thing and how they trace 'control' servers back to Chinese sources.

The writeup on Titan Rain also mentions how the primary researcher found "... the attacks emanated from just three Chinese routers", and how he subsequently went on to infect their routers so he could keep an eye on them.
posted by bhance at 10:39 AM on January 15, 2010

This thread is closed to new comments.