Solved

How can you track the path an external user took to enter your network?

Posted on 2006-11-16
5
224 Views
Last Modified: 2010-04-11
Our IDS sensor detected a public IP address (61.177.*.*) that was attempting to hack several of our FTP servers last night.  I added a policy to block and log any attempts from that IP on our firewall.  That had no effect.  On further investigation, I found that 3 of the servers the hacker was attempting to log into are not even mapped through on any ports through the firewall.  We have 2 entry points to our network: Internet and Frame Relay to over 100 remote locations.  I'm not sure how a public IP can be making through our private frame.   I can ping and telnet to the attackers IP address but the path just goes straight out  through our internet connection.  What tool or method can I use to find the entry point?  Thanks!
0
Comment
Question by:agcsupport
  • 3
5 Comments
 
LVL 8

Expert Comment

by:netmunky
ID: 17957890
using a packet inspection tool such as wireshark, you should be able to inspect the tcp/ip packets as they come in and determine which router is sending the packets to the FTP server.  or you can check your ARP tables and see which router matches the ARP entry for the attackers ip address.

from there you may be able to check xlate tables, etc, depending on how your network is set up. if all else fails, a monitor port and tcpdump/wireshark can be used on the router to again inspect the tcp/ip packets to determine the source router and follow it up the line. methods for tracking packets through routers is dependent on your hardware and software revision(s).
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 17958716
Public ip's are routeable in the public internet, private ip's, RFC1918, should only route within your lan, 10.x.x.x 192.168.x.x 172.16.x.x
The IP range you list is in china (arin whois)
inetnum:      61.177.0.0 - 61.177.255.255
netname:      CHINANET-JS
descr:        CHINANET jiangsu province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN

If you blocked the IP's at your perimeter, probably a firewall, it should of blocked them, the way in which your access list handles such listings may be a factor. If the block was placed after an allow, then the allow is processed first, and the block isn't considered. That varies from firewall to firewall and router to router. The subnet mask to block may need to be a reverse subnet mask, like 0.0.255.255 to block 61.177.x.x (your more likely to see 255.255.0.0 on lot's of other equipment, like windows uses the "correct order" subnet mask and a cisco router or pix may use the "reverse subnet mask")
-rich

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17958764
http://www.speedguide.net/read_articles.php?id=1883 has a good guide on forward and reverse subnet masks.
Junipers I think can take either form of the subnet mask, not sure about others...
I should also clarify, the deny after an allow statement I made
Allow: 1.2.3.xxx
Deny: 1.2.3.4
Everything except 1.2.3.4 would be allowed in...
-rich
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17958888
Since they are using IP addressing, ensure that when you say to block all ports that you really do all, which means both TCP and UDP. FTP crackers usually spoof addresses, so follow any and all advise here for reading at the packet level. Even MS' NetMon utility can be useful in that arena. Do not permit the unsolicted use of ports.

Make sure firewall tells port. That could be one of the email ports, possibly unused. Put a personal firewall on the devices that are hit, to block both directions and report entry/use attempts.

http://www.iana.org/assignments/port-numbers

ftp-data         20/tcp     File Transfer [Default Data]
ftp-data         20/udp    File Transfer [Default Data]
ftp                21/tcp     File Transfer [Control]
ftp                21/udp    File Transfer [Control]
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18048081
What solved your issue may I ask?
-rich
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now