-3

I want to genuinely trace and identify computers connecting to my server with malicious intend. I am quite new to networking world. That is trace malicious ip back to the actual computer.

I wanted first to track the mac address. But this was not possible because I can basically get the mac addess localy. I thought of smothing like nesting arp request spoofing router address from the previous one to send arp request to the next hop. But I am not even sure whether this is possible. It looks like impossible.

I try to get the geographical location but this was useless because the coordinate I get are from the city, meaning I can't basically know the precised coordinate.

With a public IP, how could I trace a computer? I am looking for ideas, or forensic tools. Any thing that allows me to get additional information about the attacker rather than the basic traceroute information will be helpful.

Anders
  • 64,406
  • 24
  • 178
  • 215
eskoba
  • 113
  • 3
  • What you want isn't really possible, because networks aren't geographically structured. With some atypical routing, there's absolutely no reason that the same IP block can't be located physically in both New York and California. This is why law enforcement needs to subpoena the ISP connected with the IP address. The ISP knows who they assigned which IP to, and will be able to narrow it down to a subscriber. – Devin R Feb 16 '17 at 14:00
  • @DevinR thanks for your answer. I understand the difficulty involved. That is why I am bringing it also for discussion. The issue here is that you really don't get help from the ISPs for such real time forensics. Ip address don't help in case you want for instance to block the attacker. so we have to find a way – eskoba Feb 16 '17 at 14:23
  • 5
    Why do you want to identify the actual computer attacking your network? Moreover, what you're going to do once you find it? If you simply want to block the attack, it's not at all necessary to locate the computer. On the other hand, if you want to hack back, please keep in mind that this is illegal in many (if not all) jurisdictions, even if that computer attacked you first. – A. Darwin Feb 16 '17 at 14:56

1 Answers1

5

Unless you are a nation state, you can give up.

The only ones who know where a particular IP leads at a particular time is the ISP who controls that block. And the ISP are not likely to give you that information, unless you have a court order. To track down attackers is usually useless anyway. Any attacks you find in your logs probably belongs to an infected computer in a bot net, a VPN or a Tor exit node.

IT security is a defensive sport. Make sure that the attacks fail by hardening your system, and don't bother with trying to find attackers or retalliate. If you want to be on the offense, I recommend contacting the police, but they are unlikely to care.

Anders
  • 64,406
  • 24
  • 178
  • 215