How can you track the path an external user took to enter your network?

Posted on 2006-11-16
Medium Priority
Last Modified: 2010-04-11
Our IDS sensor detected a public IP address (61.177.*.*) that was attempting to hack several of our FTP servers last night.  I added a policy to block and log any attempts from that IP on our firewall.  That had no effect.  On further investigation, I found that 3 of the servers the hacker was attempting to log into are not even mapped through on any ports through the firewall.  We have 2 entry points to our network: Internet and Frame Relay to over 100 remote locations.  I'm not sure how a public IP can be making through our private frame.   I can ping and telnet to the attackers IP address but the path just goes straight out  through our internet connection.  What tool or method can I use to find the entry point?  Thanks!
Question by:agcsupport
  • 3

Expert Comment

ID: 17957890
using a packet inspection tool such as wireshark, you should be able to inspect the tcp/ip packets as they come in and determine which router is sending the packets to the FTP server.  or you can check your ARP tables and see which router matches the ARP entry for the attackers ip address.

from there you may be able to check xlate tables, etc, depending on how your network is set up. if all else fails, a monitor port and tcpdump/wireshark can be used on the router to again inspect the tcp/ip packets to determine the source router and follow it up the line. methods for tracking packets through routers is dependent on your hardware and software revision(s).
LVL 38

Accepted Solution

Rich Rumble earned 1000 total points
ID: 17958716
Public ip's are routeable in the public internet, private ip's, RFC1918, should only route within your lan, 10.x.x.x 192.168.x.x 172.16.x.x
The IP range you list is in china (arin whois)
inetnum: -
netname:      CHINANET-JS
descr:        CHINANET jiangsu province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN

If you blocked the IP's at your perimeter, probably a firewall, it should of blocked them, the way in which your access list handles such listings may be a factor. If the block was placed after an allow, then the allow is processed first, and the block isn't considered. That varies from firewall to firewall and router to router. The subnet mask to block may need to be a reverse subnet mask, like to block 61.177.x.x (your more likely to see on lot's of other equipment, like windows uses the "correct order" subnet mask and a cisco router or pix may use the "reverse subnet mask")

LVL 38

Expert Comment

by:Rich Rumble
ID: 17958764
http://www.speedguide.net/read_articles.php?id=1883 has a good guide on forward and reverse subnet masks.
Junipers I think can take either form of the subnet mask, not sure about others...
I should also clarify, the deny after an allow statement I made
Allow: 1.2.3.xxx
Everything except would be allowed in...
LVL 24

Expert Comment

ID: 17958888
Since they are using IP addressing, ensure that when you say to block all ports that you really do all, which means both TCP and UDP. FTP crackers usually spoof addresses, so follow any and all advise here for reading at the packet level. Even MS' NetMon utility can be useful in that arena. Do not permit the unsolicted use of ports.

Make sure firewall tells port. That could be one of the email ports, possibly unused. Put a personal firewall on the devices that are hit, to block both directions and report entry/use attempts.


ftp-data         20/tcp     File Transfer [Default Data]
ftp-data         20/udp    File Transfer [Default Data]
ftp                21/tcp     File Transfer [Control]
ftp                21/udp    File Transfer [Control]
LVL 38

Expert Comment

by:Rich Rumble
ID: 18048081
What solved your issue may I ask?

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

It's not just another paperwork submission. Serious planning and rigour to managing the whole thought processes need to be put in place. The intent is not on drilling into the details, but to share tips in getting the first thing right to kick-start…
In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question