How to TraceBack a Spoofed IP in Real-Time Digital Forensics Case?
Hi Ajak Amico Welcome back to another blog, Today, I will share my experience on how a Spoofed IP Is traced back. so I recently gave a presentation at my university on investigating a web attack via Wireshark, so the panel member raised a question, on how a Spoofed IP is traced back? as far as my knowledge, I said using reverse engineering techniques and by machine learning techniques. But the answer given by the panel lead was different. Let’s find out what is that :) Before starting, if you haven’t subscribed to our channel, do subscribe, guys.
Follow our Youtube Channel: @ajakcybersecurity (350 Videos)
Follow on Instagram: @ajakcybersecurity
TTL: Time to live
ok, the answer given by the panel lead was TTL! I was confused and started to research more! Now what is this TTL? Now, let’s imagine that every time you send a HI message to your friend, you put a number on it that tells how many times the message can travel before it disappears. This number is called the Time-to-Live (TTL). In technical terms, TTL is a value for a period of time that a packet should exist on a network before being discarded. This TTL value can be seen with packet-capturing software such as Wireshark
How This TTL is used to Find the Spoofed IP?
when a legitimate packet is sent, the TTL value is initially set to a relatively high value by the operating system of the source device, as we can see in the figure, it is 55. This means that the packet can pass through up to 55 routers in the network before it expires. Each router it encounters will decrease the TTL value by one until it reaches its destination or until the TTL value reaches zero. As the packet moves through the network, the TTL value gradually decreases until it reaches the destination. The actual TTL value of a packet received by the destination can indicate the number of routers it has traversed.
Now in the case of Spoofed IP, Let’s say the attacker spoofs an IP address and sends a packet with a TTL value of 1. When it comes to spoofed packets, the TTL (Time to Live) value is often set to 1. The reason behind this is to prevent the spoofed packets from traversing multiple network hops and reaching their intended destination.If the packet reaches the destination with a TTL value of 1, it suggests that the packet has only passed through one router, which is unlikely considering the distance between the source and destination. hence by analysing the TTL packet in wireshark we can find whether the IP is spoofed or Not, and this is just one method, there are still n number of methods such as traceroute, machine learning techniques and analyzing Wireshark packets and many more.
Conclusion:
So this is how an IP is found to be spoofed, but to unmask the Spoofed IP address, there are different methods such as Header analysis, using law enforcement officers and ISP providers, well we can see that real case scenario in the next blog, hope you would have learned some information from this blog if so, kindly press that follow button for further updates. Best wishes from Ajak Cybersecurity.❤️
“கற்றவை பற்றவை🔥”
Learn Everyday, Happy Hacking 😁🙌
https://www.buymeacoffee.com/Ajak
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Follow our Youtube Channel: @ajakcybersecurity
Follow on Instagram: @ajakcybersecurity
