IP Address Trace

ip-address trace abuse

If you wanted to trace an IP address because that IP Address was the source of attacks and abuse, how would you accomplish this? Is there anything one can do to find who is using a given IP address and furthermore is there anything that can be done to stop it?

Update: The destination (where the server is) is in the USA. The source indicates that it is also USA but like someone suggested, the IP Address is likely spoofed... I'm still open to further input/details...

Thanks,
Frank


If you've got a non-Windows machine, whois <ip> is your first step. This will tie the IP to a network and possibly even supply you with an 'abuse' contact, usually an email address. You can email an abuse report there. You can also try nslookup <ip> to get a domain name, and look that up on abuse.net.

If you're running Windows start with ARIN's web whois. That may lead you to another web whois service if the IP address is not located in the USA.


The ISP that owns the IP is the only group that really know the identity of the person registered to an IP. The best info you can hope for is what you can get from dnsstuff.

If the matter is serious and you want something done about it, then your only option would be to report it to the police.

You could drop everything from that IP address in your firewall, which might help for a little while, but chances are if they are a decent cracker, they will be bouncing through proxies, and will just come in from a different angle.

If they are just probing for information, don't worry too much. Make sure your applications are OS are patched. If it is something more malicious like a DDoS attack, then there are firewalls that are able to stop them, I'm not familiar with them myself though. If they have already got in, then do a search here. I saw something a couple of days ago about how to recover from an intrusion.


Depending on the attack, (DoS, certain port scans, etc), the IP Address will most likely be spoofed. And, as others have already stated, even if you do get a valid (non-spoofed) IP, most likely the end host is a compromised machine that is being used as a stepping stone/ relay.

Also, never "hack-back" This is unethical, most likely illegal where you live, and doesn't help the situation in the least.

Anapologetos

Related

Importing a large SQL script into SQL Server?
Most common reasons for Remote Desktop not responding?
Deploying virtual machines - Windows Guest/Linux Host or vice versa?
Where is hgweb.cgi in the Mac OS X deployment of Mercurial?
UPS disposal
Replaying SQL Server transaction logs on changed db schema
Mac OS X Server Support Levels? [closed]
How to get files out of a floppy image
What is a good introduction to Linux for a mature beginner?
debian fully automatic install
How to create a Certificate Authority?
How to get the IP Address for your Local Area Connection on Windows Server?