CHAPTER 1

NETWORK ATTACK TRACEBACK

I. INTRODUCTION

While increasing in number, sophistication, and severity, the networkattacks on governmental, business, academic, and critical infrastructurenetworks need immediate attention. In this research, prevention, detectionand reaction are the truism of the network security vulnerability andassessment. Variable aspects or processes are addressed with regardto attacks. Investigated attacks include, data collection, which refers tothe collection of data from multiple operating systems. Vatis states that,"Investigators also need tools to automate the collection of data files frommultiple operating systems in the victims' network or the network beingattacked."

II. ATTACK TRACEBACK IN A NETWORK ATTACK

The UNIX System is more complex than Windows, and is necessary for thedigital evidence examiner. Usually UNIX is configured to print, log, and storeuser data (e.g. files, e-mail, passwords) on remote location systems.

One of the options to trace back the attack in the network is MappingNetwork Topology. This provides a solution to automate the process ofdeveloping the map of the network quickly and accurately. It maps thevictim's network during the preliminary stage of a network-attack tracebackto assess the extent of the attack.

What follows are the specific network attack data recovery tools toautomate the digital evidence recovery process; capturing residentmemory data is also part of network attack traceback, as well as analyzingexcessively large media storage devices.

Michael A. Vatis described Log Analysis and Reporting as automated log fileanalysis and developing graphical reporting. Furthermore, he defined LogCompilation as recognizing and importing preliminary investigation data,recognizing and importing logs across a network, reconstructing alteredor damaged logs, placing log data into an organized timeline, organizeoutput to a common and portable format. Thus, Vitas presents IP Tracingand Real-Time Interception as critical for tracking cyber attackers. Accordingto the reporting, the distributed denial of service attacks or (DDoS) originand location of the attacker remain hidden. Non-technical issues such asunderemployed technologies to counter attacks utilizing spoofing and lackof record keeping by Internet Service Providers (ISP) hamper the tracing ofIP addresses. The real-time interception of digital data is a use of specializedforensic solutions for retrieving, storing, and analyzing very large mediastorage devices compromised by network attacks.

The other important point is that data collection from multiple operatingsystems is demonstrated because of computers' usage of several differentoperating systems to perform different tasks. Data collections from severalcomputers are relevant to understand how a network was compromised. Ithappens that Windows operating systems dominated their caseloads in theuse of the types of operating systems encountered in the traceback attack.

UNIX and Linux operating systems were encountered less frequently. MacOS (through version 9) and Mac OSX were seen the least during the lastthree years, but still on occasion by some investigators. Solutions that canautomate the collection of data from multiple operating systems are stillneeded, as well as solutions to identify and report system configurationsand file locations.

There is a need of tools that will help analyze the attack data across multipleplatforms, regardless of the platform that the investigator is working on.After data collection, this tool will reduce time and focus on analysis ratherthan collection.

III. DENIAL OF SERVICES IN THE NETWORK ATTACK—(DOS)

Symantec Security Response supports the thought that Denial of Service(DoS) attack is not a virus, but a method hackers use to prevent or...