TRACERT

Traceroute is a small program that follows the route a packet takes from your computer to any Internet host. As it moves, or “hops” (some folks also prefer to call it a “hub”) from one router to the next along the network path, it measures the time taken for the data packet to traverse between your computer and that particular hop in milliseconds. Traceroute works by sending out packets in an incremental order to the Time To Live (TTL). This counter, which is present on every single IP packet is then decreased by each router that touches the packet, and the packet is then rejected when the counter reaches zero (0). This counter is used to stop packets from being forwarded infinitely in a routing loop. When the counter gets to 0, the router sends a TTL Exceeded message back to the source IP so that the station knows packets are being rejected. A traceroute looks for those responses and uses it to build the list of hops it displays, with the 3 numbers you see being the return results from 3 test packets sent for each TTL. Generally, a traceroute report shows the website’s name and IP address of each hop, plus three samples of the time, measured in milliseconds, it took to reach that hop and get a response. It also counts the number of hops between your computer and the host you are tracing to. Each hop is displayed on its own numbered line.

Steps for windows are as follows.

(a) Click on “Start”, then “Run”

(b) In the text box you see type “cmd”. Click on “ok” when done.

(c) In the command prompt, type tracert yourdomainname.com

(d) Press enter.

On a Linux machine, the command is traceroute domainname.com

Lets look at a sample traceroute report

traceroute to google.com (64.233.187.99), 30 hops max, 38 byte packets

1 OVZ5 (**.***.***.***) 0.050 ms 0.034 ms 0.031 ms

2 ge-3-43_ge-3-46.lion.bsh.mhd.as29131.net ( **.***.***.***)) 0.708 ms 0.660 ms 0.659 ms

3 10ge-1-4.tiger.thn.lon.as29131.net (**.***.***.***)) 1.896 ms 1.563 ms 1.490 ms

4 78-33-11-213.no-dns-yet.enta.net (78.33.11.213) 1.260 ms 1.219 ms 1.180 ms

5 72.14.198.46 (72.14.198.46) 72.068 ms 1.204 ms 1.270 ms

6 209.85.252.40 (209.85.252.40) 1.370 ms 1.339 ms 209.85.252.42 (209.85.252.42) 1.264 ms

7 72.14.238.248 (72.14.238.248) 1.549 ms 72.14.236.216 (72.14.236.216) 69.104 ms 69.812 ms MPLS Label=126510 CoS=5 TTL=1 S=0

8 66.249.94.235 (66.249.94.235) 101.951 ms 89.042 ms 209.85.252.166 (209.85.252.166) 89.360 ms MPLS Label=382031 CoS=5 TTL=1 S=0

9 66.249.94.235 (66.249.94.235) 89.057 ms 72.14.238.138 (72.14.238.138) 86.629 ms 86.582 ms

10 72.14.236.15 (72.14.236.15) 88.120 ms 88.108 ms 72.14.238.138 (72.14.238.138) 104.223 ms MPLS Label=674605 CoS=5 TTL=1 S=0

11 216.239.49.222 (216.239.49.222) 99.338 ms 216.239.49.226 (216.239.49.226) 95.546 ms 95.031 ms

12 jc-in-f99.google.com (64.233.187.99) 88.383 ms 88.245 ms 64.233.174.117 (64.233.174.117) 95.398 ms

The above output indicates that it took twelve hops to reach the website www.google.com.

When using traceroute, examine each line of data. If the report indicates that all hops after a certain point are taking 200 or more milliseconds to complete, that point on the network path is likely experiencing congestion problems that are creating high latency. However, it is not unusual for some hops to show high latency values, yet not be experiencing any problems. Several traceroutes in a row must be run in order to accurately show the condition of the network.

8 * * *

9 * * *

10 * * *

11 * * *

12 * * *

If a sample could not be taken at all, traceroute will show an asterisk. If all hops beyond a certain point show only asterisks, then there may be an outage at that location. Note that some routers are programmed to block IP packets originating from traceroute utilities, so they will always show an asterisk. Traceroute may or may not be able to trace past that point, but this in itself does not indicate a problem.

If you do have a very high millisecond rate between each hop or if samples cannot be collected because of which the traceroute times out, then contact technical support for help.

Related Posts:

• No Related Posts

Sometimes actions performed by the attacker on the server may affect its functionality. So its always advisable to check server’s security to avoid attack on the server. Always check the resources of server which might be affected.

You can check the CPU usage by firing top command and look for the application or scripts that consume your CPU

For strange processes you can check with ps -awux command.

Check /tmp directory and /var/tmp directory for scripts and binaries copied there.

The attacker might use the server to host IRC bot like psybnc or eggdrop which connects to port 6667 when a server is compromised . You can if any of your applications connect to that port with sockstat:

#sockstat | grep 6667

If there’s not much traffic on your server you could use netstat command to see if suspect connections are made.

#netstat -a

Install and run regularly an rootkit finder application (for e.g /usr/ports/security/rkhunter).

Look for the other open ports that you run other than the ones you use for your running services.

Related Posts:

• No Related Posts

Every computer which accesses the internet or is connected to a network uses ports to communicate. Ports are almost like individual conversations going on over the same telephone line but which each port talking about a different thing. For example, every time you access a website using http, the chances are you’ll be using port 80. For other protocols such as ftp (file transfer) different ports are used, in this case port 21. Email, secure connections, streaming etc. all use different ports which helps control the flow of data and filter desired information from undesired.

Now for many people, you never see or need to know that your computer is doing this automatically. However in some special cases, a program wants to use an unusual port number and if you have a firewall installed, it may be set to block the port, preventing the program from communicating. You may get pop-up windows telling you about the request but you may not so if a program tries to communicate across a network or the internet and  fails, it could be worth trying it without your firewall turned on to see if that is the problem. If it is, you can set up rules to allow that program access.

There are two key types of firewall: hardware and software based. Hardware firewalls are often built into routers or similar (you can often change the port you access your router admin on and use the address http://routerip:portnumber) and are generally more of an outer barrier preventing any obvious attacks on a system. These can sometimes cause problems but it is more often than not the software firewall will be blocking a connection and will need to be configured. Software firewalls are generally more configurable and allow you to choose which programs can access the internet or network and individual ports can often be opened (you will be able to find out which ports certain programs need by using a search engine) or closed down as necessary. Generally software firewalls have more flexibility than hardware based and have the advantage that they go with you wherever your computer is.

The need for a firewall more than anything is to only allow desired programs and information to be sent from your computer. Hackers and malicious code can exploit security holes in a firewall allowing data to be sent. Port scans often detect weaknesses and firewalls help to identify and protect against these. Hardware firewalls are particularly effective for this. Software firewalls will often alert you if a program wants to access the internet so if it is one you don’t recognise, don’t allow it. You can the investigate it further and if it turns out to be malicious, antivirus or anti-spyware software will help to remove it.

As a firewall is there for security, use it wisely and only have the ports open you need. If you’re not sure what a program is, deny it access and investigate. You can always change it later!

Related Posts:

• No Related Posts

A proxy server shares one internet connection with ALL the computers on your local network or it is a computer that offers a computer network service to allow clients to make indirect network connections to other network services. So basically a proxy (proxy server) is a server that acts as mediator between the client (the computer of a user) and server (the computer on the other ends of network connection on which the information requested by the user appears for example web server site.) When clients request data from an Internet resource,traffic goes from your web browser/application first through the proxy before it reaches the requested sources and back through the proxy then the proxy will transmit the data to you.

A proxy server sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.

Do not confuse a proxy server with a NAT (Network Address Translation). Although they appear to be very similar, a proxy server actually does the work of connecting to, responding to, and receiving traffic from the Internet. In other words, it acts on behalf of the client computer. A NAT, on the other hand, merely changes the origination address of traffic coming through it and passes it to the Internet. The computer behind the NAT,not the NAT itself, does the work. The NAT is intended to be transparent to the whole process.
For those who understand the OSI (Open System Interconnection) model of networking,the technical difference between a proxy and a NAT is that the proxy server works on the transport layer (layer 4), or higher of the OSI model, whereas a NAT works on the network layer (layer 3).
How Proxy Servers Work :

1. When a computer on the intranet makes a request out to the Internet-such as to retrieve a Web page from a Web server-the internal computer actually contacts the proxy server, which in turn contacts the Internet server. The Internet server sends the Web page to the proxy server, which then forwards the page to the computer on the intranet.

2. Proxy servers log all traffic between the Internet and the intranet. For example, a Telnet proxy server could track every single keystroke hit in every Telnet session on the intranet-and could also track how the external server on the Internet reacts to those keystrokes. Proxy servers can log every IP address, date and time of access, URL, number of bytes downloaded, and so on. This information can be used to analyze any attacks launched against the network. It can also help intranet administrators build better access and services for employees.

3. Some proxy servers must work with special proxy clients. A more popular approach is to use off-the-shelf clients such as Netscape with proxy servers. When such an off-the-shelf package is used, it must be specially configured to work with proxy servers from a configuration menu. Then the intranet employee uses the client software as usual. The client software knows to go out to a proxy server to get the data, instead of to the Internet.

4. Proxy servers can do more than relay requests back and forth between an intranet and the Internet. They can also implement security schemes. For example, an FTP proxy server could be set up to allow files to be sent from the Internet to a computer on the intranet,but to block files from being sent from the corporate network out to the Internet-or vice versa. In this way, intranet administrators can block anyone outside the corporation from downloading vital corporate data. Or they can stop intranet users from downloading files which may contain viruses.

5. Proxy servers can also be used to speed up the performance of some Internet services by caching data-keeping copies of the requested data. For example, a Web proxy server could cache many Web pages, so that whenever someone from the intranet wanted to get one of those Web pages, they could get it directly from the proxy server across high-speed intranet lines,instead of having to go out across the Internet and get the page at a lower speed from Internet lines.

The different types of Proxy Servers :

There are many different types of Proxy Servers out there. Depending on the purpose you can get Proxy Servers to route any of these common protocols, and many more ;
1)FTP Proxy Server:

Relays and caches FTP Traffic.

2)HTTP Proxy Server:

A one way request to retrieve Web Pages.

3)Socks Proxy Server:

A newer protocol to allow relaying of far more different types of data, whether TCP or UDP.

4)NAT Proxy Server:

This one works a little different, it allows the redirection of all packets without a Program having to support a Proxy Server.

5)SSL Proxy Server:

An extension was created to the HTTP Proxy Server which allows relaying of TCP data similar to a Socks Proxy Server. This one done mainly to allow encryption of Web Page
requests.

Furthermore, a Proxy Server can be split into another two Categories:

1)Anonymous:

An Anonymous Proxy Server blocks the remote Computer from knowing the identity of the
Computer using the Proxy Server to make requests.

2)Transparent:

A Transparent Proxy Server tells the remote Computer the IP Address of your Computer.
This provides no privacy.

Anonymous Proxy Servers can further be broken down into two more categories, Elite and Disguised. An Elite Proxy Server is not identifiable to the remote computer as a Proxy in any way. A Disguised Proxy Server gives the remote computer enough information to let it know that it is a Proxy, however it still does not give away the IP of the Computer it is relaying information for.

Related Posts:

• No Related Posts

a) Using the IP address: this is the best way to access the domain names. Instead of the domain name, you can directly use the IP address of the website. To find the IP address of a site, you can use this tool:
hcidata.co.uk/host2ip.htm

b) Using the Google Cache: if you are not concerned about the latest content of the website, then Google cache is the best method. Search for the site in Google and then click on the cached link below search results.

c) Using an anonymizer: these allow you to use their sites/servers to access websites which may be blocked/banned at the user’s end. The following is a list of free web based anonymizers:
-proxify.com: This is one of the best free servers which hides original URL and provides an array of access of options.
-blockstop.net: New site
-anonymouse.org/anonwww.html- URL is seen in this site but it may get blocked by the filtering software.

d) Online translation tools: these are basically web proxies, the following is a list of free web based translation services:
- world.altavista.com:
-google.com/translate_t

e) Google Mobile Search:
-google.com/xhtml

f) Public proxy servers: although these require you to change your internet connection settings, the end result is quite effective; the following is a list of free public proxy servers:
-publicproxyservers.com/page1.html

g) Getting web pages through email: this is only useful if you want to access one website, however, accessing large files is not at all possible.
-Check out this link which includes we page subscriptions :
web2mail.com/lite/welcome.php
-List of Servers:expita.com/servers.html

h) Tor server: Tor is a proxy server which uses anonymous servers for a single web request. It requires application which should be installed and downloaded. See the link-
-tor.eff.org/download.html.en

i)Your own proxy servers: this is the best and most advanced technique which requires your server to be hosted either at home or with a hosting provider. You can enable SSl encryption and can prevent unauthorised access by others on the internet.
Remember to put access control so that no one can find the service and misuse it.
Web proxies:
-apache.org/docs/1.3/mod/mod_proxy.html
-privoxy.org
-whitefyre.com/poxy/

j) Using alternate content providers- if Gmail is blocked at your place you can use any other mail address to enable email forward at Gmail. If everything fails then use alternate service providers.

Related Posts:

• No Related Posts