Composr Tutorial: Using IP addresses to trace users

Written by Chris Graham
If you find there is malicious activity on your website, you may feel the need to try and trace this activity back to a real world source, or the very least, to identify a troublesome computer.

This tutorial focuses on IP addresses. A member-focused view is taken in the Dealing with annoying users tutorial.


Tracing users (how IP addressing work)

Find your IP address

Computers often have more than one IP address (one for each 'network interface', such as a network card or modem).

If you want to find your own IP address, as Composr sees it, hold the mouse over the 'Account' icon (person icon) in the top bar to find a tooltip containing the IP address – or use a third-party IP address reporting website.


Finding network settings

To find out about your network settings on Windows, type ipconfig /all at a command prompt.
On Linux or Mac, type ifconfig.

Image

DNSstuff is a very useful website for looking into technical Internet related issues

<a class="user-link" href="http://www.dnsstuff.com" rel="external" target="_blank" title="DNSstuff (this link will open in a new window)">DNSstuff</a> is a very useful website for looking into technical Internet related issues

(Click to enlarge)

To trace users, you need to identify the computer performing the malicious action: unfortunately (from this perspective), the Internet is largely anonymous and decentralised, and without any clear legal authority to turn to. To some extent, a computer on the Internet can be identified by virtue of its 'IP address' (Internet Protocol address).

An IP address is a 4 byte piece of data (typically, although the newer 6 byte standard has been forthcoming thing for many years now), represented usually in a human readable form of 4 numbers (0-255) separated by dots.

There are a number of different sources of IP addresses, however the decentralisation of the system can lead to abuse; these sources are:
  • ISP (Internet service provider) assigned IP addresses, via DHCP. There is no specific pattern to these addresses. These are provided to computers when they, or their Internet router, sign on to the Internet via an ISP). This is the most usual source of IP addresses, and as these change, it can not be relied upon that a user will retain the same address for long; however, addresses usually are similar, and can be 'wildcarded' by the Composr IP ban feature. It is possible other users might at some point get that address, even though it is not very likely: if you place a ban on a wide range of addresses, such as 14.*.*.*, you are increasing the likelihood of a conflict to a dangerously high percentage, especially if an IP address belongs to a popular ISP.
  • ISP (Internet service provider) assigned fixed IP addresses. Some ISPs provide these, often at additional cost. There is no specific pattern to these addresses.
  • Local network IP address 10.0.*.* or 192.168.*.* type (non-routable [can't travel across the Internet] and open for anyone's local usage as it does not need to assigned by any authority, which means that something odd is happening if you find one of these).
  • Localhost IP address, 127.0.0.1. If you see this, then the request came from the server, or the IP address was added to the Composr database arbitrarily by some code because the true one was not known (often importers do this).

Finding a domain's IP address

To find out what your computer thinks the IP address of an Internet server is, type:
nslookup <server-domain-name>
at a command prompt.

There is a scheme for the allocation and organisation of IP addresses – they are leased in large blocks. The number of addresses in the blocks depend on what 'class' of block is being leased. This is outside the scope of this tutorial, except to make the point that IP addresses belonging to the same computer network (often, an ISP, and hence, the network being all users of that ISP from a certain roughly geographic region) share a common address prefix.

There is a major problem with identifying users by IP address, and that is one of proxys and gateways (also known as, NAT [network address translation]). If a network is 'behind' a server that makes Internet requests on their behalf, and relays information back using its own internal algorithms, then all users of this server may be seen under a single IP address. Composr will try and detect the 'true' IP address, based on the information available, but we cannot guarantee this will be the case. AOL is renowned for using proxy servers, and will particularly jump rapidly between IP addresses when the AOL browser is used. For the gateway case, it is more than likely that a large school, for example, would use a gateway, rather than exposing all school computers to the Internet via their own IP addresses (in this sense, a NAT/gateway is a form of firewall).

Composr tracking

Composr tracks IP addresses in a number of ways:
  • When a guest makes a post on Conversr, the IP address is viewable by putting the mouse over the listed name of the guest poster (where the username of a real member usually resides). If you click it, it'll do an investigate-user operation on the IP address
  • For every page view, the IP address of the page viewer is stored. This allows detection of what areas of the site a viewer has visited, and in what order
  • Whenever a submission is made, the IP address is stored. The submitter banning management screen shows these IP addresses in its drop-down list

Tools

Composr provides modules (screenshots below) for working with the collected data, and settings:
  • The 'Investigate user' module is the main tool for finding information about an IP address (access it from Admin Zone > Security > Members > Investigate user)
  • The 'Action Logs' module (access it from the Admin Zone > Audit > Actions logs) can be used to quickly find out information from a submit that wasn't immediately available (for example, if a user submitted something without being logged-in and hence was not identified, but if by an IP address scan, they were in fact identifiable). The module can also be used to ban or unban a submitter, based on both member (prevents the member submitting again) and IP address (prevents the IP address being used to access the site)
  • The 'Banned IP addresses' (access it from Admin Zone > Security > Banned IP addresses) module can be used to enter IP addresses for banning, along with free-form notes

Image

Tools available in the Admin Zone Audit Section

Tools available in the Admin Zone Audit Section

(Click to enlarge)

Image

Tools available in the Admin Zone security section

Tools available in the Admin Zone security section

(Click to enlarge)

Image

Investigating a user

Investigating a user

(Click to enlarge)

Image

Choosing a member to view the action logs of

Choosing a member to view the action logs of

(Click to enlarge)

Image

Managing banned IP addresses

Managing banned IP addresses

(Click to enlarge)


Note that banned IP addresses are restricted from accessing Composr from a very earlier point. If the .htaccess file is available and writable (Apache-only) then the bans are written in here so that PHP doesn't even need to initialise for a ban to be detected.

Other kinds of banning

Composr (Conversr) does also support many other types of banning, and other punitive tools. See the Dealing with annoying users tutorial for more information.

A closer look at the Investigate User module

Image

Options available during an investigation

Options available during an investigation

(Click to enlarge)

Image

Starting an investigation

Starting an investigation

(Click to enlarge)

This lookup page finds information relating to a website user. It's purpose is as a hub for information. The primary screen for managing a joined member is the member's profile screen.

Composr has tried to pull together as much as it can, by trying to match against the triad of IP address, member ID, and username/author. Links are provided that correspond to each of these, each link providing a different perspective on what is likely a single user.

If you would like to provide a low-level ban against IP address it is advisable to carefully research the usages of each IP address set by performing additional IP-based lookups (following the IP addresses as linked will lead you to do this).

These tools are (maintenance status):
  • Reverse-DNS lookup - this will find try and find a domain name attached to the IP address.
  • DNS lookup - this will find try and find a domain name attached to the IP address, and then the IP address attached to the domain name: with a second IP address, further analysis might be performed
  • WHOIS query - this will try and find a domain name attached to the IP address, and then try to find real-world details about the registered owner of that domain name
  • Ping - this will see if the computer with the IP address responds to ‘pings’; servers often will, but desktop computers rarely will
  • Tracert - this will find the network route between the server that provides this web tool, and the server of the IP address; it provides an impression of the locality and connectivity of the associated computer
  • Geo-lookup - this will try and find the geographical location of the IP address; it can be widely inaccurate however: for example, in the past UK AOL users have been shown as being located in the US


See also


Feedback

Please rate this tutorial:

Have a suggestion? Report an issue on the tracker.