We help IT Professionals succeed at work.

How to back trace the real attacker in LAN?

Jerryleo
Jerryleo asked
on
Some machines under attack from another subnet. I can only back trace the attacker to the gateway. How do I can back trace the real attacker?

My environment:

All the machine use WIN 9X in LAN.
the gateway use WIN 2000.
Comment
Watch Question

CERTIFIED EXPERT

Commented:
check ogs on gateway

Author

Commented:
I am sorry. Is it ogs or logs?

The gateway is a machine that runs windows 2000 adv server. And How do I check it or make a log to back trace?

Could give me a detailed guidance.

Thanks!
CERTIFIED EXPERT

Commented:
logs.

Well win2k has one of these nice click&type GUIs, so the Event Viewer may be the program of your chocie.
You also may improve the amount of information send to the event logger somewhere (sorry forgot how to do that, 'cause I have no mouse)

Author

Commented:
Thanks very much!

The attack is an IGMP attack, called SXE attack. How do I set the log options or audit rules to trace it?
CERTIFIED EXPERT

Commented:
try Start->Settings->ControlPanel->Admin->System Monitor
(IIRC in english for win2k)
Commented:
Hi, I really hope you are firewalling your NT server. Is this a home machine or a corporate machine? I would recommend using a IDS product such as Snort or ISS RS.
You need to verify the source IP, and who it belongs to, try these tools
http://www.eye-net.com.au/itools/inetnum.php and report it to the ISP. However because IGMP is part of IP (layer 3) it is easy to spoof this source IP address, and because this is a denial of service attack then there probably is no need to two way communications.
I would ask the ISP to block IGMP and even multicast addresses if you do not need multicast.

Author

Commented:
Thanks and sorry for leaving it hanging a long time.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.