Hunting for hackers - Google fraud style

A lot of people on the internet are aware of the Google Adsense Fraud algorithms.
But a few people are aware that the algorithms that help Google track down fraudsters are also very useful at hunting the careful and thorough hacker.

Here is the logic that applies both to hunting hackers and hunting fraudsters:

  1. The attacker will make repeated attempts
  2. The attacker has finite and limited resources at his disposal
  3. The attacker is geographically relatively fixed
  4. The attacker will try to be connected as little time as possible
Naturally, both you as well as Google need a good database of events to analyze. Google has their web server logs, and you will have to implement a collective log of firewalls, servers and routers to be on par. Of course, the first question is - what data to collect?

Here is what Google can analyze when hunting adsense fraudsters:
  • Referrer URL of the visitor who clicked on an and
  • IP address of the visitor who clicked on an and
  • Autonomous System (provider) of visitor who clicked on an and
  • Browser and OS version who clicked on an and
  • Time of visit who clicked on an and
  • Length of visit who clicked on an and
  • URL of visited site who clicked on an and
  • Site Content Variation - to hunt for content copy sites
  • Available Cookies on a Google site

Having the same approach, here is what you can analyze when hunting for hackers
  • IP address of connecting machine
  • Autonomous System (provider) of connecting machine
  • Destination service/port
  • Time of session (for TCP connections)
  • Length of session (for TCP connections)

With this information, you can write a program to analyze the following
  • Match nonstandard port attempts from same Autonomous System within given interval (say 1 week)
  • Within the Autonomous System, find all connections from the same IP address or same pool (C class)
  • Look for very short sessions from same AS and/or pools
  • Look for variations of destination ports and protocols from same C class pool
Any matches over 3 events within a week should alert a human security officer to conduct a more detailed analysis.

Talkback and comments are most welcome

Related posts
Portrait of Hackers

13 comments:

Devaraj said...

Nice post. Tracing the hacker will be definitely useful for us for our service. Thanks a lot.

Security Services

Maria0Maria said...

I learned from this post. It was amazing how much information is collected by Google to detect fraudulent activity...

Bozidar Spirovski said...

Actually all that information is simply contained within the logs of the web servers. So any provider only has to properly analyze them.

your "Health Assistant" said...

Happy Healthy Holidays to you and your family!!!

ish

Yoko said...

Dude.. I like your post. Informative! Thanks and keep on posting!

Maricrism said...

This is awesome! I learn many things in your post. I will also share to my friends what you post. Thanks

abby villa said...

very very interesting read. thanks for adding me as one of your friends

Anonymous said...

Use of VPN services makes tracking via IP address impossible.

Using premium VPN services which allow you to pick a country and have thousands of IP addresses at their disposal means that tracking via IP will not work either,

Festival Blog said...

Happy Dussehra
Happy Dussehra Wishes
Happy Dhanteras Images
Karwa Chauth Images
happy diwali wishes

Anonymous said...

err_internet_disconnected
err_name_resolution_failed
err_connection_time_out
err_connection_reset
dns_probe_finished_bad_config
net::err_cert_date_invalid
net::err_cert_authority_invalid

Anonymous said...

err_empty_response_error
dns lookup failed error

Anonymous said...

Google allo
Download Apps
Click here Apps for Pc

Sunmugam Chidambaram said...

Good post
Download xender for pc
Very good for share FILES ,PICTURES PC To any Android

Designed by Posicionamiento Web