Re: Net forensics question

From: Myke Place (mpat_private)
Date: Mon May 26 2003 - 11:09:46 PDT

Next message: SecurIT Informatique Inc.: "Three new tools related to IDS, forensics, honeypots"

Previous message: Jonathan A. Zdziarski: "RE: Net forensics question"
In reply to: Burnette, Michael: "Net forensics question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is no way to know conclusivelly whether the final address is 
dynamically or statically assigned. Based on the information you have 
given there is no definitive way to tell. 

In many ISP situations, you'll see a static route added to a core router
that points to a modem bank which then assigns ip's to dial-up users as
they are requested. So, a loop like the one that you describe could be
either a dial-up rack that has a static route pointing to it, or it could
be any number of other things. Though if the traceroute looks like it's
pretty close to the edge of a network, you might be inclined to suspect
dial-up.

What you really want to do if you suspect wrongdoing is to fire off an 
email to abuseat_private and find out what the address is 
assigned to.

-mp



* Burnette, Michael (MWB@rh-law.com) [030526 08:27] spake thusly:
> What would explain the following scenario (or what if anything would this scenario tell you about the machine in question):
> 
> 1) A traceroute to a public internet address times out at 30 hops. The last 10 hops bounce between the same two hosts.
> 2) No DNS information available on the host.
> 3) ping times out unless the TTL is increased.
> 4) ping -a returns what appears to be a short netbios name, not a FQDN  
> 
> I there any way to know if the IP is static or dynamically assigned?  There seem to be clues here.
> 
> Thanks,
> Michael Burnette
> Atlanta, GA
>  
> 
> 
> This message and any attachments are intended for the use of the addressee(s) only and may be confidential and covered by the attorney/client and other privileges. If the reader is not the intended recipient, DO NOT READ, notify sender and delete this message. In addition, be aware that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited.
> 
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
> 

-- 
I think computer viruses should count as life. I think it says something about
human nature that the only life we have created so far is purely destructive. 
We've created life in our own image. -Steven Hawking

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: SecurIT Informatique Inc.: "Three new tools related to IDS, forensics, honeypots"
Previous message: Jonathan A. Zdziarski: "RE: Net forensics question"
In reply to: Burnette, Michael: "Net forensics question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 26 2003 - 11:50:41 PDT