Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Gold

tool to check agressors ip addresses ?

Hi all

Do anyone of you know of a tool that can accept a list of ip-addresses and spit out their origin.

Background

I have a list of addresses that have scanned and attacked a target over night.

I wish to show what good use we have of our firewalls and wants to show my boss what great job they are doing so he can in his turn show the bosses over him what great job we are doing and make it easier for him to ask for more money for more security hardware and education and stuff.

For that paper I would like to show from where the attacks origin.

Preferably what country but I would settle for continent if need be.

Today I do about 100 of the attacking ip addresses over a month and check them via whois and then give an aproximation, but this is quite booring work and I realise that there must be someway to do this automagically and to save time and money

so what software can I use to make this happen every day ?

ie

(for this example I use a 10. network but in reality this would be realworld ip adresses)

10.1.1.1

10.2.2.2

10.3.3.3

10.4.4.4

10.5.5.5

10.6.6.6

10.7.7.7

10.8.8.8

10.9.9.9

Or how do you out here do this ?

Regards

Hobbe

4 REPLIES
Hall of Fame Super Silver

tool to check agressors ip addresses ?

Give this site a try: http://www.ipligence.com/iplocation

You can buy a subscription-based service if you want to do more than the 50 free queries per day allowed.

Gold

tool to check agressors ip addresses ?

Very nice tools, something like the bulk ip address location might be what I am looking for.

Thank you veru much for the tip ! I will check it out further to se if that might be the one thing I am looking for.

Are there any other tools that anyone else knows of ?

Regards Hobbe

tool to check agressors ip addresses ?

Hi Bro

This is just my 2 cents worth of comment. If you ask me, i would rather not purchase these tools and instead turn on the security features in the Cisco ASA e.g. threat detection.

The reason I say this is because even if you know where the origin of the attack came from, that information is useless simply because most of the time, if not all the time, these IP addresses are spoofed.

I would rather focus my attention on securing my network with features available by Cisco, and show to the top management the number of network attacks detected and countered upon, than to show a nice graph which sometime really means nothing.

Over to you bro :-)

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Gold

tool to check agressors ip addresses ?

Hi

I already have the threat detection up and running, and IDS.

But it is not good enough.

So I have setup my own early warning system by just adding addresses and ports that is not in use and thus created sort of a honeypot/net or tripwire via deny access-lists and statics going to addresses not in use. Anyone trying to connect to the addresses or ports works like a tripwire so we know they are not a legitimate visitor.

and by logging those addresses and ports I can set filters and directly see when something hits those ports.

it also gives good statistics on what ports they are trying to access.

When it comes to spoofing ip addresses I can tell you that we see that most of the time they are actually not spoofed.

but many times they are hosts taken over and used for scanning. However sometimes we can se that the agressor is trying to hide itself via using several spoofed addresses when they scan, to make it difficult to say wich one was scanning, but that is quite rare. Simply because they do not need to do that since they are scanning from a victim address ie not something that will lead me to them. Since I get a early heads up I can automatically track them during their scans.

If Cisco would setup a "honeypot" feature in the ASA I think that would give a load of information to help out the admins.

fx a honeypot ssh deamon that can give information on who is trying to access and what accounts and passwords encryption keys and so on so that the admins can know what the attackers are up to.

So I do see your point but I respectfully disagree.

That said it is a good and valid point to make.

258
Views
10
Helpful
4
Replies
CreatePlease to create content