Cyber-Smears & Cyber-Attacks: Protecting Your Company Basic Online Investigation Techniques

By Tom Donovan

Back to main article

Exhibit 4

Introduction

Where in the world is that Internet site located? Who is responsible for that site?

These are the most frequently asked questions when your company is presented with a cyber-smear or cyber-attack. Dealing with Internet cases can be frustrating and time consuming, as technical issues and determining jurisdiction can always delay a decision on whether a case can or should be pursued. The purpose of this document is to allow you and your in-house personnel to take control without spending precious dollars on Internet specialists until you really need to. Below you will find an introduction to Internet terminologies and online tools that will aid you during the course of your investigation.

Internet Basics

Introduction to IP Addressing

An Internet Protocol (IP) address is a set of numbers assigned to a user, or a website, creating a physical presence on the Internet usually in the form of a dotted quad:

Some of Microsoft.com’s IP Addresses are:

207.46.249.190
207.46.249.222
207.46.249.27
207.46.134.155
207.46.134.190
207.46.134.222

Everyone with a presence on the Internet has an IP address assigned to them since a location must be established on where information will be sent to or received from. Thus, all websites have an IP address assigned to them which gives them presence on the Internet and allows the user to retrieve (view) the data that is on that site.

Think of an IP address as your home mailing address, where you need an address for your house in order to receive packages. Without an IP address, no one can find you and the user can retrieve the data on your website.

A domain (www.something.com) can have more than one IP address, however this is dependent on how much traffic the domain receives and if a request is made by the owner to the ISP hosting the site for several IP addresses.

Thus, it is critical that you know the IP address of any website that you want to investigate.

Tools To Aid In Your Investigation

• NSLOOKUP or Name Server lookup is a very handy tool used in determining an IP address of a domain. One of Microsoft.com's IP addresses is 207.46.249.190, but we would never know it without NSLOOKUP. The reason why domain names exist is because we would never be able to remember all the various IP addresses that exist on the Internet, as humans have a hard time remembering more than 7 digits.
  
  To perform a NSLOOKUP, simply use the NSLOOKUP tool highlighted below and enter the domain name in question. http://network-tools.com/nslook/ ---- For query type, choose A -Address
• Reverse NSLOOKUP: Reverse NSLOOKUP is utilized on an IP address instead of a domain name, to reveal the identity of an IP address in question. For example, performing a NSLOOKUP on 207.46.249.191 reveals the domain name of Microsoft.com. Note that this only works if a domain name is assigned to that IP address, as quite a few websites utilize IP addresses only.
  
  To perform a Reverse NSLOOKUP, simply use the NSLOOKUP tool highlighted below and enter the IP address in question. http://www.webmaster-toolkit.com/ns-lookup.shtml
• Traceroute: Traceroute is used to verify what part of the country or world a person or server is in. It is also used to determine the latency of a website.
  
  To perform a traceroute, simply use the traceroute tool highlighted below and enter the domain name or IP address in question. http://www.visualware.com/visualroute/livedemo.html
• Ping: The most generic command of an investigation, the ping command is used to verify if an IP address or a website is still alive.
  
  To perform a ping, simply use the Ping tool highlighted below and enter the domain name or IP address in question. http://www.webmaster-toolkit.com/ping.shtml
• WHOIS: WHOIS will tell you who is the registered owner of a site in question and the ISP that is hosting the site. The WHOIS utility is not really an accurate reflection of the registrant information on file, as anyone can falsify or change their WHOIS record after the domain is registered.
  
  To perform a WHOIS, simply use the WHOIS tool highlighted below and enter the domain name in question. http://www.internic.net/whois.html

WHOIS Accuracy:

Falsified or inaccurate WHOIS information is a common problem that you may be able to overcome.

The Internet Coalition for the Assignment of Names and Numbers (ICANN) has a policy that WhoIs data must be accurate. Once notified of the false/inaccurate information, the owner of the registered domain will often require the registrant to provide accurate WhoIs information or face deletion of the domain. A deleted domain means that site will no longer be accessible on the Internet via its domain name. Note that registrars will have different interpretations on the policy.

Section 3.7.8 states:

3.7.8 Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information. Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.

http://www.icann.org/registrars/ra-agreement-17may01.htm

Regional Internet Registries

IP address space is distributed in a hierarchical way. IANA (Internet Assigned Numbers Authority IANA.org) allocates blocks of IP address space to Regional Internet Registries (RIRs). RIRs allocate blocks of IP address space to local Internet registries that assign the addresses to end users.

A frequently asked question concerning IP addresses: “What if I do not have a domain name, but just an IP address, and I have already performed a traceroute and such, but I still do not know where the server is located?”

Well, a good place to start is by visiting the ARIN (American Registry for Internet Numbers, Region: North America, Africa south of the equator, and portions of the Caribbean) website at www.arin.net. Next, perform a WHOIS on the ARIN database before performing a traceroute, as traceroutes can be hampered by firewalls. Performing a WHOIS on this database will tell you who owns or is subletting an IP block, thus giving you the location and jurisdiction of the server in question.

Utilizing the ARIN database is rather easy, as explained in the example below:

For this experiment, we will use one of Microsoft.com’s IP addresses as an example:

First we will perform an NSLOOKUP to reveal Microsoft.com’s IP address:

207.46.249.190

Then we take the IP address of 207.46.249.190 and plug it into the SEARCH WHOIS box on the http://www.arin.net homepage (see screenshot below):

We then click on SEARCH WHOIS and get the following results:

The detailed output from the ARIN WHOIS reveals the following:

Search results for: 207.46.249.190,

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
NameServer: DNS1.CP.MSFT.NET
NameServer: DNS2.CP.MSFT.NET
NameServer: DNS1.TK.MSFT.NET
NameServer: DNS1.DC.MSFT.NET
NameServer: DNS1.SJ.MSFT.NET
Comment:
RegDate: 1997-03-31
Updated: 2002-12-05

TechHandle: ZM39-ARIN
TechName: Microsoft
TechPhone: +1-425-936-4200
TechEmail: noc@microsoft.com

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@microsoft.com

OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: noc@microsoft.com

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: iprrms@microsoft.com

# ARIN WHOIS database, last updated 2003-07-29 09:24
# Enter ? for additional hints on searching ARIN's WHOIS database.

From this detailed report, we can surmise that this IP address originates in the United States, in Redmond, Washington. We also can state that any IP address that falls under the following range of 207.46.0.0 - 207.46.255.255 belongs to Microsoft Corporation. We also have the contact information, as in this case, an email address and telephone number.

Another frequently asked question concerning the ARIN database would be:

“What if I don’t know that the IP address I have is American based, which RIR would I choose?”

It doesn’t matter, as all of these databases are connected to one another. Let’s say the IP address that you have originates in Russia, but you were unaware of this. All you would need to do is start with ARIN, plug in the IP address information, and ARIN would link you to the correct registry, which in this case would be RIPE, which would then yield you the correct record for the IP address in question.

Other RIR's

• LACNIC - Latin American and Caribbean Internet Addresses Registry
  Region: Latin America and portions of the Caribbean
  www.lacnic.net
• APNIC - Asia Pacific Network Information Centre
  Region: Asia and Pacific region
  www.apnic.net
• RIPE - Réseaux IP Européens
  Region: Europe, Parts of Asia, Africa north of the equator, and the Middle East
  www.ripe.net

Exercises

Exercise #1: Using the tools, outlined below, perform a PING, NSLOOKUP, Reverse NSLOOKUP, TRACEROUTE, and WHOIS on Microsoft.com.

Ping
http://www.webmaster-toolkit.com/ping.shtml.

NSLOOKUP:

Reverse NSLOOKUP:
http://www.webmaster-toolkit.com/ns-lookup.shtml

Traceroute:
Visual Traceroute with a geographical map:
http://www.visualware.com/visualroute/livedemo.php

Whois
http://www.internic.net/whois.php

Exercise #2: Using the knowledge that you have attained from the previous exercise, please use the ARIN database to perform a WHOIS search on the IP address for Hotmail.com.