6

Excuse the naive question (I'm more of a dev than a web-sec person)

In the past I've had webservers hacked and usually i've traced it to some random machines which seem to have been compromised (i assume part of a botnet etc trying to find a way to add my server to the network).

I've always kinda left it there after reviewing the logs and realising nothing too bad was done and the exploit was now patched.

But I've often wondered, what if I needed to identify the threat. Could I go to the authorities? What could they actually do? If it was hollywood dreamland theyd have a big map up on a wall sized screen and in seconds they'd route through all of the proxies and find the source....

As far as I can work out this isnt possible unless you either had 100% access to every ISP in realtime OR you were back-hacking every proxy with whatever exploit and following the incoming connections OR done via the Tier 1 exchanges? All of which are no small tasks..

Is that about the size of it?

Alex
  • 305
  • 1
  • 3
  • 7

2 Answers2

3

You have pretty much hit the nail on the head, which is why for most organised crime online the key is to follow the money, which is much more traceable.

Depending on paranoia level an attacker could route through multiple proxies, use TOR or other anonymising tools and generally obfuscate to whatever degree they want, and whilst some ISPs will cooperate, a canny attacker will route through countries where they won't.

Have a look at the question on Anonymous and Lulzsec - Why is it difficult to catch "Anonymous" or "Lulzsec" (groups)?

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • thanks for the link. I'm going to keep this question open for a while hopefully to get some more opinions but I guessed it was basically possible but only if it really really mattered to the authorities and certainly not simple – Alex May 19 '12 at 14:12
3

If attackers use anonymity tools such as Tor, it's exceedingly difficult to trace them back to the person performing the attack, especially after the fact. Think of Tor like a big encrypted mesh, where connections are routed through a random path of multiple nodes. At no point does any one node know both the source IP and target IP.

Attacks against such anonymity networks are complex and require a lot of privileged access to ISP logs and other such resources, so unless you've had significant losses the authorities aren't likely to make the effort.

Things get even more difficult when you're dealing with an attacker that uses Tor to control a horde of compromised computers in a botnet. These machines may be in different countries, with different privacy and computer security laws. Getting access to the data and/or logs on these machines can prove to be a bureaucratic nightmare.

In general, when the authorities investigate attacks, they'll look for something other than the digital trail. It's much easier to catch people by their actions on social media sites, or via paper trails when money is transferred around.

My advice, if you've not lost much in the way of revenue, is to forget about pursuing the attacker and instead focus your time/money into working out how they got in, and how to prevent it happening again.

Now would be a good time to undergo a security review. Here's some stuff you should double-check is being done properly:

  • The usual security measures: change SSL port, no root login, use client certs, enforce strong passwords, etc.
  • Updates (OS, software packages, IDS/IPS, firewall, AV, etc)
  • Security monitoring and alerting, with logs being backed up remotely.
  • IPS/IDS/firewall in the right places.
  • DMZ set up between internet-facing services and your internal network.
  • AV software on any user machines.
  • Proper user account management.
  • Security policy.
  • Event response policies.

It'll be far more cost-effective to focus on preventing future attacks than it will be to go chasing ghosts.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Thanks for the response. I'm even more fascinated by this than I was when I posted. I just can't believe that such a huge flaw in the internet allows 'true anonymity'. – Alex May 22 '12 at 05:02
  • @Alex It's not really a flaw, because there's no way to enforce identity. Even if you found a way to strongly tie the concept of identity (personal or corporate) to an Internet address, there will still be people who share that address with others, whether by running proxies, operating a Tor node, or just by having botnet malware on their computer. The identity tied to the address then becomes useless, because you can only identify the legally sanctioned operator of the address, not the real person sending the traffic. – Polynomial May 22 '12 at 05:42