Using system fingerprints to track attackers.
Talk at B-Sides SF 2014 by Lance Cottrell
Leveraging known weaknesses in current anonymity tools to identify who is using such tools, and in some cases to identify the users themselves.
Because most attackers are smart enough not to use their own home IP address
When you look at any attacker activity, you can see the immediate source.
That source is likely a relay or innocent compromised bystander
You identify the visible attacker
Then track who connected there
then who connected there, and who …
Imagine what you could do if you knew with certainty which of your visitors was doing so anonymously.
Even better, what if you could actually identify them?
There are a number of tools attackers will use to hide their identity
The question is, how can you identify and recognize the people using these tools?
Overtly Anonymous activity
Addresses of public privacy services are easily discovered.
If the machine visiting you has server characteristics, or proxy or VPN ports, it is almost certainly a relay.
Easy to see that an IP addresses is from a data center not consumer - likely relay.
Bulletproof hosting providers even more likely to be dubious.
The speed of light and causality are unavoidable. Using relays will have impacts.
VM on the relay harder to detect.
DNS mismatch indicates effort to hide.
Use wildcard DNS and unique dynamic hostnames to detect this.
Now lets move from recognizing that someone is being anonymous to trying to identify who they actually are.
Often only the browser is hidden.
Side doors may exit more directly.
Flash, Active X, Media Players, Apps,
Human error is your best friend.
Few if any have the needed discipline
Conventional Cookies / Super cookies / flash cookies. Yours and others.
Browser history cookies. Third party trackers and identifiers.
Look for teleportation. Good for forensics.
Known fingerprint from other activity - hard to change
Odd, unusual or impossible fingerprints suggest fakes.
Attacker use of VM can be very effective
Still some tell tale indicators.
Ross Ulbricht. Forged IDs sent to his house
account “altoid” linked to his silk road blog in some posts and to his real name email in others. Used characteristic language and rant topics.
Taking the next step, you may want to go on the “offensive” which will require you to use anonymity yourself.