Chapter 9. Investigating Attribution
A well-designed, defensible network should have a number of monitoring elements available for forensic analysis when it is attacked or compromised. For example, most networks will have deployed intrusion detection systems, firewall and router traffic logs, and access logs contained on the server itself. There exists a bevy of tools and techniques that can allow an investigator to gain further insight using open source data. This includes routing information from the border gateway protocol (BGP), domain name system (DNS), darknet monitoring, blacklist services (such as those offered by Spamhaus, CBL, etc.), and, to a lesser degree, Internet registry information (e.g., ARIN, RIPE, APNIC, etc.).
Performing a traceroute on each IP will show an experienced computer security engineer where the attacks originated from and what path the packets took to get to the target.
This chapter takes a rudimentary look at these computer forensic tools by way of some real-world examples.
Using Open Source Internet Data
The following serves as an introduction to several key internetworking concepts. This is fairly complex subject matter, and will be discussed only at a very high level here.
The border gateway protocol (BGP) is widely characterized as the “glue of the Internet.” Every Internet service provider uses BGP to move packets between source and destination nodes. Essentially, each BGP “speaking” router will dynamically maintain a table of network addresses, ...