It's pretty well known that just because logs of an attack show a source IP address from a particular country,...
it does not necessarily mean it's possible to assign attribution to that country. Is there a more effective way to identify where an attack is coming from?
Unless you are working with law enforcement or have a specific reason, it's probably not worth the effort to determine where an attack is coming from. In any event, being able to locate an IP address location gives minimal information as to how to stop the attack other than by blocking the source IP or source network. If the attacking systems are using DHCP, proxies, compromised systems, VPNs, Amazon EC2 or any number of other methods that can allow for a change of source IP, however, blocking the source IP will be ineffective. Also, blocking based on IP or subnets requires some maintenance overtime, as IP blocks slowly change.
It may be easier to define where connections are allowed to come from -- i.e., whitelist connections -- rather than where they are not allowed to come from. This may not be possible for Web servers or services that must be available to the public, but, for internal systems that need to be Internet accessible to a limited population, defining the sources might be possible and more secure. This is not to say you shouldn’t block IPs used in attacks for the duration of an attack, but you should understand the value of blacklisting and whitelisting IPs.
If you really need to assign attribution to a country, you could look at decompiled binaries used in an attack to see if there are any clues to the language in use in comments, status messages reported by the software, logs of communications, keyboard mapping, OS version if it includes language configurations, or the time zone settings. These settings can give some information about the attacker.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.