If you wanted to trace an IP address because that IP Address was the source of attacks and abuse, how would you accomplish this? Is there anything one can do to find who is using a given IP address and furthermore is there anything that can be done to stop it?
Update: The destination (where the server is) is in the USA. The source indicates that it is also USA but like someone suggested, the IP Address is likely spoofed... I'm still open to further input/details...
Thanks,
Frank
If you've got a non-Windows machine, whois <ip> is your first step. This will tie the IP to a network and possibly even supply you with an 'abuse' contact, usually an email address. You can email an abuse report there. You can also try nslookup <ip> to get a domain name, and look that up on abuse.net.
If you're running Windows start with ARIN's web whois. That may lead you to another web whois service if the IP address is not located in the USA.
The ISP that owns the IP is the only group that really know the identity of the person registered to an IP. The best info you can hope for is what you can get from dnsstuff.
If the matter is serious and you want something done about it, then your only option would be to report it to the police.
You could drop everything from that IP address in your firewall, which might help for a little while, but chances are if they are a decent cracker, they will be bouncing through proxies, and will just come in from a different angle.
If they are just probing for information, don't worry too much. Make sure your applications are OS are patched. If it is something more malicious like a DDoS attack, then there are firewalls that are able to stop them, I'm not familiar with them myself though. If they have already got in, then do a search here. I saw something a couple of days ago about how to recover from an intrusion.
Depending on the attack, (DoS, certain port scans, etc), the IP Address will most likely be spoofed. And, as others have already stated, even if you do get a valid (non-spoofed) IP, most likely the end host is a compromised machine that is being used as a stepping stone/ relay.
Also, never "hack-back" This is unethical, most likely illegal where you live, and doesn't help the situation in the least.
Anapologetos
First step - use WHOIS to find out where the offending IP is; that'll get you a country, ISP/registrar, or even a business address, if you're lucky.
To stop attacks, just firewall the IP address as far "upstream" in your network as you can (at your border). To track down the "user" of an IP address, I generally use:
dig -x <IP> to get an idea of what the IP address might be (DSL, dialup, dynamic vs static IP, or even an honest-to-goodness colo box);whois <IP> to find out who the responsible entity is for the netblock (should contain contact details if you want to report the abuse and try to get it stopped at it's source)nmap on an IP address to get an idea of the OS and services running on the machine to see if I can remotely access it or crash it to stop the abuse. That would be naughty.
When tracking bad stuff back to it's source I always start with a web based whois lookup. I don't want any queries that appear to come from my address block going anywhere near the attack. My favorite is Network Solutions lookup: http://www.networksolutions.com/whois/index.jsp, and then I work back through the providers as appropriate to find the ISP that owns the address.
What next steps you take are really dependent on the type of attacks/abuse you're seeing. You could block attacks at your border, cut off the user's account (if they have one with you), you could email the ISP's abuse line and provide them data on the attacks (times, netflows, etc.) and let them cut them off, and in cases of criminal activity you could call the police.
I think it's worth pointing out here that in cases where you think you might call the cops, if the ISP is across state lines the FBI won't really be interested unless there is SIGNIFICANT financial losses. If you're dealing within a state, incidents like stalking or kiddie porn can be taken to the local police though.
