TRACKING A
DEVICE USING INTERNET
A.
Identification
A device is uniquely identified by an IP address or a mobile phone
number registered with an Internet
Service Provider, ISP, or Wireless
Service Provider, WSP.
If we could track down the IP address or a mobile phone number, we
could ask the service provider for the identity and credential of its user
manually.
B.
Tracking down hacker or
attacker’s identity
1.
TCP/IP packet
All messages sending over the Internet by a
device used the TCP/IP or UCP packet format. Basically any messages sending over
the Internet must include the originating IP address and destination IP address.
The service provider must verify and make
sure that the originating IP address corresponds to its allocated/global IP
address. Its users could be internally allocated a dynamic IP address or a code,
so the return message to its gateway could be routed to the original sender.
Diagram B1a. Sample of [PC] devices connecting to Internet via an ISP
A mobile phone is connected to its wireless service
provider via air waves. However the wireless service provider, WSP, is also
allocated a global IP address. WSP also assigns each mobile phone a temporary
code, internal IP address, or used its mobile phone number as unique identity
within its network. A mobile phone accessing Internet must go through the gateway
of its WSP. Its unique identity would allow the WSP route response from an
Internet source back correctly.
2.
Structure of a TCP/IP packet
The IP address structure of a TCP/IP address should
include
| Global IP address of the ISP or WSP | OC | Subnet IP OR internal codes |
-
OC: 4-bit option code. It could be “0” for subnet IP in subsequent
bits; “1” for an internal code in subsequent bits; the rest reserves for future
expansion.
-
The subnet IP is the internal IP address of a device within an ISP
or WSP network. It’s likely used up to xxx.xxx.xxx.xxx 12 characters of 4 bits
each character. Thus 6 bytes of a TCP/IP packet.
-
Internal codes could be 3 bytes for 16 * 16 * 16 * 16 * 16 = 16,777,216
devices within an ISP or WSP.
The current
option of subnet IP uses a lot of bytes in a packet, but it conveys the same
information as an internal code.
C.
Tracking a TCP/IP packet to
its owner
1.
Monitoring the Internet
communication
One of
duties for law enforcement is to monitor the Internet to track down hackers,
terrorists, criminals, etc.
This could
be done by tapping the Internet with a powerful computer such as APY as a
firewall as well as TCP/IP packet analyzer.
2.
Manually contact ISP or WSP
By capturing
a TCP/IP message with “dangerous” contents, officers could use the packet
analyzer to find out the global IP address of the ISP or WSP, subnet IP or
internal code. The ISP or WSP would be then contacted to hand over the identity
of the users of those dangerous contents based on information above.
There’re
Internet sites providing fake or foreign proxy IP address to users. Those sites
were also allocated global IP addresses and know its users. Thus the same
strategy for ISP and WSP applies to those sites.
3.
Automatically tracking
The APY or
monitoring computers could remotely connect to the server of an ISP and WSP via
Internet. Based on analysis of an earlier TCP/IP packet by a user, APY could
open a connection to correct ISP or WSP server, and query information about that
user in the database. Therefore the manual process could be replaced by remote
access of database.
The database of an ISP or WSP must be well
protected in this case, i.e. authenticated and encrypted to prevent
unauthorized access.
4.
Shut down hacker’s terminals
If APY was
used in tracking down activity in Internet communications. It’s likely that
officers were familiar with TRACE
commands to figure out or debug some issues. This could be implemented in the
packet analyzer, too.
If TRACE or packet analyzer found out some
hacking activity occurred, APY could FIRE
to bring down hacker’s terminal
or PC.
With packet
analyzer, it would be easier as it was implemented in the program, thus it
could be done automatically based on some given criteria.
The only
issue with TRACE command was data captured on screen such as ISP’s IP address,
subnet IP address, or internal code of the hacker. Operators could copy and
paste the information and feed to a command FIRE
to bring down that terminal. However
this would take some time and work to be done. It would be nice if there is a
link or automatic feeding of data between a TRACE command and the FIRE command,
so we didn’t need to copy and paste data when used FIRE. Sample command
structure could be
-
FIRE [ISP address, subnet IP or internal code]
No comments:
Post a Comment