RPAT - Realtime Proxy Abuse Triangulation
From: Stephen Friedl (steve@unixwiz.net)
Date: 12/20/02
- Previous message: Kyle Lai: "Re: Worm on 445/tcp?"
- Next in thread: Kurt Seifried: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- Reply: Kurt Seifried: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- Maybe reply: Stephen Friedl: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Dec 2002 08:17:15 -0800 From: Stephen Friedl <steve@unixwiz.net> To: incidents@securityfocus.com
Hello list,
This isn't exactly an "incident", but it was suggested that I post this here.
I've developed a technique for tracking down abusers of rotating proxy
servers:
RPAT - Realtime Proxy Abuse Triangulation
The short description: when an "attack" is observed, query the source
via SNMP and suck down the netstat table to see who's talking to the
proxy. Over time and enough different sources, one can "triangulate"
back to the abuser.
There are plenty of caveats, but I believe the technique is original.
The writeup includes the perl source code.
Happy holidays, all.
Steve
---
Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561
www.unixwiz.net | I speak for me only | KA8CMY | steve@unixwiz.net
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Gordon Chamberlin: "hpd, afb, sc, and sn"
- Previous message: Kyle Lai: "Re: Worm on 445/tcp?"
- Next in thread: Kurt Seifried: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- Reply: Kurt Seifried: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- Maybe reply: Stephen Friedl: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
