topic tool to check agressors ip addresses ? in Network Security

tool to check agressors ip addresses ?

hobbe — Mon, 11 Mar 2019 23:41:06 GMT

Hi all

Do anyone of you know of a tool that can accept a list of ip-addresses and spit out their origin.

Background

I have a list of addresses that have scanned and attacked a target over night.

I wish to show what good use we have of our firewalls and wants to show my boss what great job they are doing so he can in his turn show the bosses over him what great job we are doing and make it easier for him to ask for more money for more security hardware and education and stuff.

For that paper I would like to show from where the attacks origin.

Preferably what country but I would settle for continent if need be.

Today I do about 100 of the attacking ip addresses over a month and check them via whois and then give an aproximation, but this is quite booring work and I realise that there must be someway to do this automagically and to save time and money

so what software can I use to make this happen every day ?

(for this example I use a 10. network but in reality this would be realworld ip adresses)

10.1.1.1

10.2.2.2

10.3.3.3

10.4.4.4

10.5.5.5

10.6.6.6

10.7.7.7

10.8.8.8

10.9.9.9

Or how do you out here do this ?

Regards

Hobbe

tool to check agressors ip addresses ?

Marvin Rhoads — Sat, 11 Aug 2012 17:53:44 GMT

Give this site a try: http://www.ipligence.com/iplocation

You can buy a subscription-based service if you want to do more than the 50 free queries per day allowed.

tool to check agressors ip addresses ?

hobbe — Sat, 11 Aug 2012 19:07:25 GMT

Very nice tools, something like the bulk ip address location might be what I am looking for.

Thank you veru much for the tip ! I will check it out further to se if that might be the one thing I am looking for.

Are there any other tools that anyone else knows of ?

Regards Hobbe

tool to check agressors ip addresses ?

Ramraj Sivagnanam Sivajanam — Sun, 12 Aug 2012 02:08:14 GMT

Hi Bro

This is just my 2 cents worth of comment. If you ask me, i would rather not purchase these tools and instead turn on the security features in the Cisco ASA e.g. threat detection.

The reason I say this is because even if you know where the origin of the attack came from, that information is useless simply because most of the time, if not all the time, these IP addresses are spoofed.

I would rather focus my attention on securing my network with features available by Cisco, and show to the top management the number of network attacks detected and countered upon, than to show a nice graph which sometime really means nothing.

Over to you bro 🙂

P/S: If you think this comment is useful, please do rate them nicely 🙂

tool to check agressors ip addresses ?

hobbe — Sun, 12 Aug 2012 10:06:02 GMT

I already have the threat detection up and running, and IDS.

But it is not good enough.

So I have setup my own early warning system by just adding addresses and ports that is not in use and thus created sort of a honeypot/net or tripwire via deny access-lists and statics going to addresses not in use. Anyone trying to connect to the addresses or ports works like a tripwire so we know they are not a legitimate visitor.

and by logging those addresses and ports I can set filters and directly see when something hits those ports.

it also gives good statistics on what ports they are trying to access.

When it comes to spoofing ip addresses I can tell you that we see that most of the time they are actually not spoofed.

but many times they are hosts taken over and used for scanning. However sometimes we can se that the agressor is trying to hide itself via using several spoofed addresses when they scan, to make it difficult to say wich one was scanning, but that is quite rare. Simply because they do not need to do that since they are scanning from a victim address ie not something that will lead me to them. Since I get a early heads up I can automatically track them during their scans.

If Cisco would setup a "honeypot" feature in the ASA I think that would give a load of information to help out the admins.

fx a honeypot ssh deamon that can give information on who is trying to access and what accounts and passwords encryption keys and so on so that the admins can know what the attackers are up to.

So I do see your point but I respectfully disagree.

That said it is a good and valid point to make.