It's pretty well known that just because logs of an attack show a source IP address from a particular country,...
it does not necessarily mean it's possible to assign attribution to that country. Is there a more effective way to identify where an attack is coming from?
Unless you are working with law enforcement or have a specific reason, it's probably not worth the effort to determine where an attack is coming from. In any event, being able to locate an IP address location gives minimal information as to how to stop the attack other than by blocking the source IP or source network. If the attacking systems are using DHCP, proxies, compromised systems, VPNs, Amazon EC2 or any number of other methods that can allow for a change of source IP, however, blocking the source IP will be ineffective. Also, blocking based on IP or subnets requires some maintenance overtime, as IP blocks slowly change.
It may be easier to define where connections are allowed to come from -- i.e., whitelist connections -- rather than where they are not allowed to come from. This may not be possible for Web servers or services that must be available to the public, but, for internal systems that need to be Internet accessible to a limited population, defining the sources might be possible and more secure. This is not to say you shouldn’t block IPs used in attacks for the duration of an attack, but you should understand the value of blacklisting and whitelisting IPs.
If you really need to assign attribution to a country, you could look at decompiled binaries used in an attack to see if there are any clues to the language in use in comments, status messages reported by the software, logs of communications, keyboard mapping, OS version if it includes language configurations, or the time zone settings. These settings can give some information about the attacker.
Dig Deeper on Hacker Tools and Techniques: Underground Sites and Hacking Groups
Related Q&A from Nick Lewis
Conficker malware was found in a German nuclear power plant computer system. Expert Nick Lewis explains the possible impact of malware infections of ...continue reading
OneSoftPerDay, an adware program can install backdoors on PCs, is able to avoid detection from antimalware tools. Expert Nick Lewis explains how to ...continue reading
The hot-patching feature in Windows servers is vulnerable to attacks from APT groups. Expert Nick Lewis explains what hot patching is and how to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.