Solved

How can you track the path an external user took to enter your network?

Posted on 2006-11-16
5
228 Views
Last Modified: 2010-04-11
Our IDS sensor detected a public IP address (61.177.*.*) that was attempting to hack several of our FTP servers last night.  I added a policy to block and log any attempts from that IP on our firewall.  That had no effect.  On further investigation, I found that 3 of the servers the hacker was attempting to log into are not even mapped through on any ports through the firewall.  We have 2 entry points to our network: Internet and Frame Relay to over 100 remote locations.  I'm not sure how a public IP can be making through our private frame.   I can ping and telnet to the attackers IP address but the path just goes straight out  through our internet connection.  What tool or method can I use to find the entry point?  Thanks!
0
Comment
Question by:agcsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 8

Expert Comment

by:netmunky
ID: 17957890
using a packet inspection tool such as wireshark, you should be able to inspect the tcp/ip packets as they come in and determine which router is sending the packets to the FTP server.  or you can check your ARP tables and see which router matches the ARP entry for the attackers ip address.

from there you may be able to check xlate tables, etc, depending on how your network is set up. if all else fails, a monitor port and tcpdump/wireshark can be used on the router to again inspect the tcp/ip packets to determine the source router and follow it up the line. methods for tracking packets through routers is dependent on your hardware and software revision(s).
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 17958716
Public ip's are routeable in the public internet, private ip's, RFC1918, should only route within your lan, 10.x.x.x 192.168.x.x 172.16.x.x
The IP range you list is in china (arin whois)
inetnum:      61.177.0.0 - 61.177.255.255
netname:      CHINANET-JS
descr:        CHINANET jiangsu province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN

If you blocked the IP's at your perimeter, probably a firewall, it should of blocked them, the way in which your access list handles such listings may be a factor. If the block was placed after an allow, then the allow is processed first, and the block isn't considered. That varies from firewall to firewall and router to router. The subnet mask to block may need to be a reverse subnet mask, like 0.0.255.255 to block 61.177.x.x (your more likely to see 255.255.0.0 on lot's of other equipment, like windows uses the "correct order" subnet mask and a cisco router or pix may use the "reverse subnet mask")
-rich

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17958764
http://www.speedguide.net/read_articles.php?id=1883 has a good guide on forward and reverse subnet masks.
Junipers I think can take either form of the subnet mask, not sure about others...
I should also clarify, the deny after an allow statement I made
Allow: 1.2.3.xxx
Deny: 1.2.3.4
Everything except 1.2.3.4 would be allowed in...
-rich
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17958888
Since they are using IP addressing, ensure that when you say to block all ports that you really do all, which means both TCP and UDP. FTP crackers usually spoof addresses, so follow any and all advise here for reading at the packet level. Even MS' NetMon utility can be useful in that arena. Do not permit the unsolicted use of ports.

Make sure firewall tells port. That could be one of the email ports, possibly unused. Put a personal firewall on the devices that are hit, to block both directions and report entry/use attempts.

http://www.iana.org/assignments/port-numbers

ftp-data         20/tcp     File Transfer [Default Data]
ftp-data         20/udp    File Transfer [Default Data]
ftp                21/tcp     File Transfer [Control]
ftp                21/udp    File Transfer [Control]
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18048081
What solved your issue may I ask?
-rich
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Router Security Commands. 2 52
To open a PDF without getting the prompt "to Save, Open, or Cancel". 6 56
Fraud Email 11 42
Check Spoof email 6 34
The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question