pinpointing IP

When investigating an attack from a specific IP address, what
techniques are used to gather information on that IP address.
Obviously the typical whois query and IP information lookup are a
must, but what else can be done to singleout a potential threat.

Also, when an attacker's IP address is registered to an online service
(like AOL in this case), what measures can be taken to specially
identify the attacker? I'm aware of AOL's Dynamically Assigned
Hardware Addressing, so when a client disconnects the IP is usually
reassigned, but I would imagine they would keep a log of IP's to their
respective users at specific times.

Re: pinpointing IP

cmdjunkie@gmail.com wrote:
> When investigating an attack from a specific IP address, what
> techniques are used to gather information on that IP address.
> Obviously the typical whois query and IP information lookup are a
> must, but what else can be done to singleout a potential threat.
>
> Also, when an attacker's IP address is registered to an online service
> (like AOL in this case), what measures can be taken to specially
> identify the attacker? I'm aware of AOL's Dynamically Assigned
> Hardware Addressing, so when a client disconnects the IP is usually
> reassigned, but I would imagine they would keep a log of IP's to their
> respective users at specific times.
>

well, call 1800 AOL4ever and ask them to give you the attackers home phone number,license plate and ssn.
if they won't give it up, hack into their database and find the information yourself.


seriously:
what exactly do you want to do?
call the police if you have been violated and can proof it.
they can get the ip and other data from the provider - _if_ an actual crime has been committed.
M

Re: pinpointing IP

On Thu, 09 Aug 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1186675886.299879.81840@e9g2000prf.googlegroups.com>, cmdjunkie@gmail.com
wrote:

>When investigating an attack from a specific IP address, what
>techniques are used to gather information on that IP address.
>Obviously the typical whois query and IP information lookup are a
>must, but what else can be done to singleout a potential threat.

If in fact there really was an "attack" and not someone sending UDP
messenger spam (free clue - the source addresses are fake because
messenger spam is a one-way connection), then you call the cops - or
in your case, the state police. You want to have complete packet
captures, and let them handle it. If the incident involves crossing
a state line, they will involve the FBI. But it's _their_ call,
not yours.

>Also, when an attacker's IP address is registered to an online service
>(like AOL in this case), what measures can be taken to specially
>identify the attacker?

The cognizant law enforcement agency gets a subpoena, and serves it to
the provider.

>I'm aware of AOL's Dynamically Assigned Hardware Addressing, so when
>a client disconnects the IP is usually reassigned, but I would imagine
>they would keep a log of IP's to their respective users at specific
>times.

To an extent, yes. But then you are also assuming that the perpetrator
is at that address, not it's not some clueless id10ts PC that was
zombied. Are you sure you logs are showing the correct times?

Old guy