Hosting Provided By

RPAT - Realtime Proxy Abuse Triangulation

From: Stephen Friedl <steve(at)unixwiz.net>
Date: Fri Dec 20 2002 - 11:17:15 EST

Hello list,

This isn't exactly an "incident", but it was suggested that I post this here.

I've developed a technique for tracking down abusers of rotating proxy servers:

http://www.unixwiz.net/rpat/

The short description: when an "attack" is observed, query the source via SNMP and suck down the netstat table to see who's talking to the proxy. Over time and enough different sources, one can "triangulate" back to the abuser.

There are plenty of caveats, but I believe the technique is original. The writeup includes the perl source code.

Happy holidays, all.

Do you need help?

Steve

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Dec 20 13:41:19 2002

This message: [ Message body ]
Next message: Gordon Chamberlin: "hpd, afb, sc, and sn"
Previous message: Kyle Lai: "Re: Worm on 445/tcp?"
Next in thread: Kurt Seifried: "Re: RPAT - Realtime Proxy Abuse Triangulation"
Reply: Kurt Seifried: "Re: RPAT - Realtime Proxy Abuse Triangulation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT