[nycbug-talk] Researching ISP for an IP
tux at penguinnetwerx.net
Sun Aug 14 00:18:34 EDT 2005
Francisco Reyes wrote:
> Someone launched a dictionary attack against my machine.
> Nothing new...
> However, I always use IP2Location to see where the attack is coming
> from.. just for my curiosity.
> This particular IP, 126.96.36.199, was from New York so I figure I would
> try to find the ISP to complain.
> dig -x reports
> ;; ANSWER SECTION:
> 188.8.131.52.in-addr.arpa. 78337 IN PTR ros75-27.optonline.net.
> but then
> dig ros75-27.optonline.net
> ;; QUESTION SECTION:
> ;ros75-27.optonline.net. IN A
> Tried traceroute and mtr, but got nowhere.
> Not even ping did anything when I tried
> ping 184.108.40.206
> Is it possibly the attacker just spoofed the IP?
If they didn't, they're either extremely stupid or missing most of the
grey matter between their ears.. I know if I tried that kind of attack on
someone (not that I would, but if I *did*) I'd spoof the source IP as much
as possible by bouncing off proxies, zombies, etc.
Normally, from what I see in my own logs (since I'm also on optonline)
script kiddies don't even try to mask their IP, mainly because they don't
know how to do that - they just run the script/exploit/whatever and see
what happens. Adding their IP to my "ignore" list for awhile seems to do
the trick most times. Doing an nmap scan of their box for the more
peskier ones puts *them* on red alert, and it usually stops immediately
(gotta love that :)
I'd say if you're getting hit with a dict attack, the person on the other
end at least knows a little bit and will try (however feeble) to hide at
least a little bit.
Of course, I just had a pot of coffee, so I could go on and on about this,
so I'll shaddup and let the other folks get a few words in now :)
More information about the talk