-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

          WHAT YOU SHOULD KNOW ABOUT FORENSIC IP-TRACING TECHNIQUES

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

IP SPOOFING

Various logging schemes have been proposed by computer forensic researchers to
make tracing spoofed IP packets easy for investigators. None of these have
become widespread, though it would be trivial for your ISP to detect IP
spoofing using egress filtering. This is typically done at the border of the
network, so in a large network the precise attacker would be difficult to
determine the precise origin of quiet/short transmissions, particularly after
they have ended.

Noisey activities such as DoS attacks can be traced without infrastructure
or ISP support by flooding upstream routers and observing the effect on the
attacker's stream. However, transient spoofed communications will remain
difficult to detect until IP logging is implemented at intermediate routers.

Some forensic "experts" appear to be lacking knowledge about network protocols,
making ridiculous suggestions such as appending unique router id's into
packets. Of course, these can be spoofed by any compromised router, falsely
implicating uninvolved parties.

ENCAPSULATED TRAFFIC

Encapsulated traffic, such as proxies and IP over IP tunnels do not spoof
source addresses, but rather scrub the source from packets at each bounce
point. Long-lived connections can be traced by physically visiting (or
compromising) each upstream bounce point. Dead connections can be traced if
the next upstream bounce point is logged at the current bounce point. If not,
the trail is cold.

Transient streams where the IP address is changed at each bounce point are at
the very least difficult enough to trace that law enforcement won't bother.
Search the news; you won't find any incidences of law enforcement tracking
people down through bounces using amazing technical wizardy. This is not
observation bias; law enforcement love to toot their own horn about their
supposed feats in fighting "cybercrime".

END-TO-END ATTACKS

There is some speculation that various intelligence agencies are monitoring
Internet traffic at the major ISP's. This is more or less to be expected.
What is disputed is how this affects Tor's anonymity. Certainly, if TCP
handshakes are recorded and retained, then it could be used to retroactively
identify Tor users and users of other encapsulated proxies. This is the timing
correlation attack most Tor users have heard about. While this is a very real
hole in Tor's security, the fact is that it is still an expensive attack to
carry out, requiring a great deal of data retention or proactive action on the
part of the attacker. It is highly unlikely that this will be used on pirates
in the near future. More than likely, these capabilities are reserved for
counter-terrorism and monitoring of identifiable domestic groups the
government finds objectionable. There is no credible evidence of a timing
attack successfully being carried out on Tor.

SUMMARY

There is no credible information to suggest that LE are able to trace transient
network traffic that has been bounced and scrubbed without fairly complete
cooperation from all involved hosts, or massive data retention at the major
ISP's coupled with advanced traffic analysis. There is little evidence of law
enforcement utilizing any kind of advanced traffic analysis or timing attacks,
though the situation may change in the future.