Home » Data Protection » Malware/Cybercrime

Searching for Internet Perpetrators

Trying to trace Internet attacks backward to find the perp is an interesting exercisebut potentially fruitless.

One way to do so is to bounce the attack through an intermediary, using simple techniques like finding an open proxy server, or complicated ones like renting time on a ‘bot net’—that is, a network of compromised machines. This creates a chain of return addresses. Although you can try tracking backwards one jump at a time, such tracing is difficult and slow and will be problematic if there is an uncooperative ISP somewhere in the middle.

Given the limitations of using the return address, there are other ways that you can try to get the IP address of the attacker. You can send the attacker an e-mail message with a Web bug in it. Web bugs are very small images that monitor and report on who is reading a message or viewing a page. If the attacker is careless enough to open the e-mail on his computer, the Web bug can reveal the attacker’s location. Web bugs can also be embedded into Microsoft Office documents, so another tactic you can try is to leave a booby-trapped Word file where your attacker will discover it, and then wait to see if anybody triggers the embedded tracking device.

Unfortunately, getting somebody’s IP address is often just the first step of a traceback exercise. On today’s Internet, just about every IP address is assigned to an Internet service provider, a company, a governmental organization or a university. By consulting databases run by the Internet registries, you can pretty easily figure out the organization to which any given IP address belongs. But going from that organization to a particular individual is a much more difficult task. Although some organizations permanently assign each IP address to specific users, most use IP addresses that are dynamically assigned to different users at different times. In either event, you need the cooperation of the organization to consult either their administrative records or their log files. Some organizations won’t cooperate unless a court compels them. And in some countries the courts just don’t care about your plight.

Even if you have an IP address and the organization wants to cooperate, you might still be out of luck. The IP address might belong to a wireless access point—and it’s a very rare access point indeed that keeps detailed logs about who connected to it and when.

The IP address could also be wrong. In many cases the attacker can simply “borrow” the IP address of someone else in his organization. A sophisticated attacker will change both his IP address and his Ethernet address. Although every Ethernet interface sold today comes with a unique 48-bit address that’s burned in at the manufacturer, every interface on the market also can be reprogrammed to use any other 48-bit address. You can even do this trick with wireless Ethernet addresses.