Link to home
Start Free TrialLog in
Avatar of agcsupport
agcsupportFlag for United States of America

asked on

How can you track the path an external user took to enter your network?

Our IDS sensor detected a public IP address (61.177.*.*) that was attempting to hack several of our FTP servers last night.  I added a policy to block and log any attempts from that IP on our firewall.  That had no effect.  On further investigation, I found that 3 of the servers the hacker was attempting to log into are not even mapped through on any ports through the firewall.  We have 2 entry points to our network: Internet and Frame Relay to over 100 remote locations.  I'm not sure how a public IP can be making through our private frame.   I can ping and telnet to the attackers IP address but the path just goes straight out  through our internet connection.  What tool or method can I use to find the entry point?  Thanks!
Avatar of netmunky
netmunky
Flag of United States of America image
using a packet inspection tool such as wireshark, you should be able to inspect the tcp/ip packets as they come in and determine which router is sending the packets to the FTP server.  or you can check your ARP tables and see which router matches the ARP entry for the attackers ip address.

from there you may be able to check xlate tables, etc, depending on how your network is set up. if all else fails, a monitor port and tcpdump/wireshark can be used on the router to again inspect the tcp/ip packets to determine the source router and follow it up the line. methods for tracking packets through routers is dependent on your hardware and software revision(s).
ASKER CERTIFIED SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image
http://www.speedguide.net/read_articles.php?id=1883 has a good guide on forward and reverse subnet masks.
Junipers I think can take either form of the subnet mask, not sure about others...
I should also clarify, the deny after an allow statement I made
Allow: 1.2.3.xxx
Deny: 1.2.3.4
Everything except 1.2.3.4 would be allowed in...
-rich
Avatar of SunBow
SunBow
Flag of United States of America image
Since they are using IP addressing, ensure that when you say to block all ports that you really do all, which means both TCP and UDP. FTP crackers usually spoof addresses, so follow any and all advise here for reading at the packet level. Even MS' NetMon utility can be useful in that arena. Do not permit the unsolicted use of ports.

Make sure firewall tells port. That could be one of the email ports, possibly unused. Put a personal firewall on the devices that are hit, to block both directions and report entry/use attempts.

http://www.iana.org/assignments/port-numbers

ftp-data         20/tcp     File Transfer [Default Data]
ftp-data         20/udp    File Transfer [Default Data]
ftp                21/tcp     File Transfer [Control]
ftp                21/udp    File Transfer [Control]
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image
What solved your issue may I ask?
-rich