How to find a real IP address using proxy server logs

How to find a real IP address using proxy server logs

Is it possible to find the real IP address of someone using a proxy to change his or her IP address?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Attackers often use proxy servers to hide their IP addresses from the administrators of systems they are trying to access.  Other individuals may use proxy servers as a tool to protect their own privacy.  No matter the intent, individuals hiding their identity behind a proxy server always leave some trail of digital breadcrumbs.

In the simplest situation, where an attacker uses a single proxy server to relay traffic to its final destination, the technical part of tracking the user down is easy.  You simply need to analyze the proxy server logs, find the connection request to the target server and look at the source IP address.  Unfortunately, while this is technically simple, gaining access to the proxy server logs is easier said than done.  In the best case, you’ll bump up against a company that was unwittingly running the proxy server and is eager to eradicate it quickly from its network.  In that situation, you’ll probably be redirected to their corporate lawyer, who likely won’t be eager to share information with you that could later be used as evidence that the company was negligent or even complicit in any attack launched through the proxy.  In that situation, it’s probably going to take the involvement of law enforcement and a court order to gain access to the proxy server logs, if they even exist.

In the worst case, the proxy server may actually be run by someone who is intentionally providing a privacy-enhancing service that operates under the protection of the laws of the country where the server is located.  You’re going to have a hard time getting anything in this scenario, because the proxy server is likely configured not to keep logs and, even if the logs do exist, you’ll have a hard time finding a law enforcement officer in that country who is willing to assist you.

If that’s not enough to intimidate you, many attackers use multiple proxy servers to hide their true location, so you’ll probably need to repeat this process multiple times in order to find the real IP address!

This was first published in June 2011

Back to top