Solved

How can you track the path an external user took to enter your network?

Posted on 2006-11-16
5
225 Views
Last Modified: 2010-04-11
Our IDS sensor detected a public IP address (61.177.*.*) that was attempting to hack several of our FTP servers last night.  I added a policy to block and log any attempts from that IP on our firewall.  That had no effect.  On further investigation, I found that 3 of the servers the hacker was attempting to log into are not even mapped through on any ports through the firewall.  We have 2 entry points to our network: Internet and Frame Relay to over 100 remote locations.  I'm not sure how a public IP can be making through our private frame.   I can ping and telnet to the attackers IP address but the path just goes straight out  through our internet connection.  What tool or method can I use to find the entry point?  Thanks!
0
Comment
Question by:agcsupport
  • 3
5 Comments
 
LVL 8

Expert Comment

by:netmunky
ID: 17957890
using a packet inspection tool such as wireshark, you should be able to inspect the tcp/ip packets as they come in and determine which router is sending the packets to the FTP server.  or you can check your ARP tables and see which router matches the ARP entry for the attackers ip address.

from there you may be able to check xlate tables, etc, depending on how your network is set up. if all else fails, a monitor port and tcpdump/wireshark can be used on the router to again inspect the tcp/ip packets to determine the source router and follow it up the line. methods for tracking packets through routers is dependent on your hardware and software revision(s).
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 17958716
Public ip's are routeable in the public internet, private ip's, RFC1918, should only route within your lan, 10.x.x.x 192.168.x.x 172.16.x.x
The IP range you list is in china (arin whois)
inetnum:      61.177.0.0 - 61.177.255.255
netname:      CHINANET-JS
descr:        CHINANET jiangsu province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN

If you blocked the IP's at your perimeter, probably a firewall, it should of blocked them, the way in which your access list handles such listings may be a factor. If the block was placed after an allow, then the allow is processed first, and the block isn't considered. That varies from firewall to firewall and router to router. The subnet mask to block may need to be a reverse subnet mask, like 0.0.255.255 to block 61.177.x.x (your more likely to see 255.255.0.0 on lot's of other equipment, like windows uses the "correct order" subnet mask and a cisco router or pix may use the "reverse subnet mask")
-rich

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17958764
http://www.speedguide.net/read_articles.php?id=1883 has a good guide on forward and reverse subnet masks.
Junipers I think can take either form of the subnet mask, not sure about others...
I should also clarify, the deny after an allow statement I made
Allow: 1.2.3.xxx
Deny: 1.2.3.4
Everything except 1.2.3.4 would be allowed in...
-rich
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17958888
Since they are using IP addressing, ensure that when you say to block all ports that you really do all, which means both TCP and UDP. FTP crackers usually spoof addresses, so follow any and all advise here for reading at the packet level. Even MS' NetMon utility can be useful in that arena. Do not permit the unsolicted use of ports.

Make sure firewall tells port. That could be one of the email ports, possibly unused. Put a personal firewall on the devices that are hit, to block both directions and report entry/use attempts.

http://www.iana.org/assignments/port-numbers

ftp-data         20/tcp     File Transfer [Default Data]
ftp-data         20/udp    File Transfer [Default Data]
ftp                21/tcp     File Transfer [Control]
ftp                21/udp    File Transfer [Control]
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18048081
What solved your issue may I ask?
-rich
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now