It's pretty well known that just because logs of an attack show a source IP address from a particular country,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
it does not necessarily mean it's possible to assign attribution to that country. Is there a more effective way to identify where an attack is coming from?
Unless you are working with law enforcement or have a specific reason, it's probably not worth the effort to determine where an attack is coming from. In any event, being able to locate an IP address location gives minimal information as to how to stop the attack other than by blocking the source IP or source network. If the attacking systems are using DHCP, proxies, compromised systems, VPNs, Amazon EC2 or any number of other methods that can allow for a change of source IP, however, blocking the source IP will be ineffective. Also, blocking based on IP or subnets requires some maintenance overtime, as IP blocks slowly change.
It may be easier to define where connections are allowed to come from -- i.e., whitelist connections -- rather than where they are not allowed to come from. This may not be possible for Web servers or services that must be available to the public, but, for internal systems that need to be Internet accessible to a limited population, defining the sources might be possible and more secure. This is not to say you shouldn’t block IPs used in attacks for the duration of an attack, but you should understand the value of blacklisting and whitelisting IPs.
If you really need to assign attribution to a country, you could look at decompiled binaries used in an attack to see if there are any clues to the language in use in comments, status messages reported by the software, logs of communications, keyboard mapping, OS version if it includes language configurations, or the time zone settings. These settings can give some information about the attacker.
Dig Deeper on Hacker Tools and Techniques: Underground Sites and Hacking Groups
Related Q&A from Nick Lewis
A recent version of the iSpy keylogger has the ability to steal passwords and record Skype chats. Expert Nick Lewis explains how it works and how to ...continue reading
IoT botnet DDoS attacks have been growing in volume and impact. Expert Nick Lewis explains how you can ensure your internet-connected devices are ...continue reading
A new type of macro malware has the ability to evade the detection of virtual machines and sandbox environments. Expert Nick Lewis explains how to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.