[title sub="Written by Chris Graham"]Composr Tutorial: Using IP addresses to trace users[/title]

If you find there is malicious activity on your website, you may feel the need to try and trace this activity back to a real world source, or the very least, to identify a troublesome computer.

This tutorial focuses on IP addresses. A member-focused view is taken in the [page="_SEARCH:tut_censor"]Dealing with annoying users[/page] tutorial.

[contents]decimal,lower-alpha[/contents]

[title="2"]Tracing users (how IP addressing work)[/title]
[surround]
[surround="right float-separation"]
[box="Find your IP address" width="25em"]
Computers often have more than one [concept]IP address[/concept] (one for each 'network interface', such as a network card or modem).

If you want to find your own IP address, as Composr sees it, hold the mouse over the 'Account' icon (person icon) in the top bar to find a tooltip containing the IP address -- or use a [url="third-party IP address reporting website"]https://www.myipaddress.com[/url].
[/box]

[box="Finding network settings" width="25em"]
To find out about your network settings on Windows, type [tt]ipconfig /all[/tt] at a command prompt.
On Linux or Mac, type [tt]ifconfig[/tt].
[/box]
[/surround]
To trace users, you need to identify the computer performing the malicious action: unfortunately (from this perspective), the Internet is largely anonymous and decentralised, and without any clear legal authority to turn to. To some extent, a computer on the Internet can be identified by virtue of its 'IP address' (Internet Protocol address).

An IP address is a 4 byte piece of data (typically, although the newer 6 byte standard has been forthcoming thing for many years now), represented usually in a human readable form of 4 numbers (0-255) separated by dots.

There are a number of different sources of IP addresses, however the decentralisation of the system can lead to abuse; these sources are:
 - [concept]ISP[/concept] (Internet service provider) assigned IP addresses, via [acronym="Dynamic host configuration protocol"]DHCP[/acronym]. There is no specific pattern to these addresses. These are provided to computers when they, or their Internet router, sign on to the Internet via an ISP. This is the most usual source of IP addresses, and as these change, it can not be relied upon that a user will retain the same address for long; however, addresses usually are similar, and can be 'wildcarded' by the Composr IP ban feature. It is possible other users might at some point get that address, even though it is not very likely: if you place a ban on a wide range of addresses, such as [tt]14.*.*.*[/tt], you are increasing the likelihood of a conflict to a dangerously high percentage, especially if an IP address belongs to a popular ISP.
 - ISP (Internet service provider) assigned fixed IP addresses. Some ISPs provide these, often at additional cost. There is no specific pattern to these addresses.
 - Local network IP address [tt]10.0.*.*[/tt] or [tt]192.168.*.*[/tt] type (non-routable [can't travel across the Internet] and open for anyone's local usage as it does not need to assigned by any authority, which means that something odd is happening if you find one of these).
 - Localhost IP address, [tt]127.0.0.1[/tt]. If you see this, then the request came from the server, or the IP address was added to the Composr database arbitrarily by some code because the true one was not known (often importers do this).
[/surround]

[surround="right float-separation"]
[box="Finding a domain's IP address" width="25em"]
To find out what your computer thinks the IP address of an Internet server is, type:
[tt]nslookup <server-domain-name>[/tt]
at a command prompt.
[/box]
[/surround]

There is a scheme for the allocation and organisation of IP addresses -- they are leased in large blocks. The number of addresses in the blocks depend on what 'class' of block is being leased. You can learn more about IP address classes and allocation [url="https://www.cloudflare.com/learning/dns/glossary/what-is-my-ip-address/"]on Cloudflare's Glossary[/url].

There is a major problem with identifying users by IP address, and that is one of [concept]proxy[/concept]s and [concept]gateway[/concept]s (also known as, [concept]NAT[/concept] [network address translation]). If a network is 'behind' a server that makes Internet requests on their behalf, and relays information back using its own internal algorithms, then all users of this server may be seen under a single IP address. Composr will try and detect the 'true' IP address, based on the information available, but we cannot guarantee this will be the case. AOL is renowned for using proxy servers, and will particularly jump rapidly between IP addresses when the AOL browser is used. For the gateway case, it is more than likely that a large school, for example, would use a gateway, rather than exposing all school computers to the Internet via their own IP addresses (in this sense, a NAT/gateway is a form of firewall).

VPNs are also becoming more common-place which allow users to browse the web from a different IP address located in a different part of the world. This is often to preserve privacy or to get around local or country bans. But the caveat is that these users usually cannot be accurately traced by IP address; the server only sees the IP address of the VPN, and so banning it will only ban that exit node (but the user can always switch to a different node / IP address). It is possible (though not recommended if you prioritise traffic to your site) to integrate an API for the blocking of any IP addresses which try to access your site, forcing users to use their real IP address. But this would not serve much benefit and will ultimately reduce the traffic and visitors you get. Composr does not support this out of the box due to the many caveats involved.

[title="2"]Composr tracking[/title]

Composr tracks IP addresses in a number of ways:
 - When a guest makes a post on [concept]Conversr[/concept], the IP address is viewable (by staff) by putting the mouse over the listed name of the guest poster (where the username of a real member usually resides). If you click it, it'll do an investigate-user operation on the IP address
 - For every page view, the IP address of the page viewer is stored. This allows detection of what areas of the site a viewer has visited, and in what order
 - Whenever a submission is made, the IP address is stored. The submitter banning management screen shows these IP addresses in its drop-down list

[title="2"]Tools[/title]

Composr provides modules (screenshots below) for working with the collected data, and settings:
 - The 'Investigate user' module is the main tool for finding information about an IP address (access it from Admin Zone > Security > Members > Investigate user)
 - The 'Action Logs' module (access it from the Admin Zone > Audit > Actions logs) can be used to quickly find out information from a submit that wasn't immediately available (for example, if a user submitted something without being logged-in and hence was not identified, but if by an IP address scan, they were in fact identifiable). The module can also be used to ban or unban a submitter, based on both member (prevents the member submitting again) and IP address (prevents the IP address being used to access the site)
 - The 'Banned IP addresses' (access it from Admin Zone > Security > Banned IP addresses) module can be used to enter IP addresses for banning, along with free-form notes

[media_set]
[media width="150" description="Tools available in the Admin Zone Audit Section" float="left"]data_custom/images/docs/tut_trace/trace_menu2.png[/media]
[media width="150" description="Tools available in the Admin Zone security section" float="left"]data_custom/images/docs/tut_trace/trace_menu.png[/media]
[media width="150" description="Investigating a user" float="left"]data_custom/images/docs/tut_trace/trace_dig_2.png[/media]
[media width="150" description="Choosing a member to view the action logs of" float="left"]data_custom/images/docs/tut_trace/trace_dig_1.png[/media]
[media width="150" description="Managing banned IP addresses" float="left"]data_custom/images/docs/tut_trace/trace_ip_bans.png[/media]
[/media_set]

Note that banned IP addresses are restricted from accessing Composr from a very earlier point. If the [tt].htaccess[/tt] file is available and writable (Apache-only) then the bans are written in here so that PHP doesn't even need to initialise for a ban to be detected.

[title="2"]Other kinds of banning[/title]

Composr ([concept]Conversr[/concept]) does also support many other types of banning, and other punitive tools. See the [page="_SEARCH:tut_censor"]Dealing with annoying users[/page] tutorial for more information.

[title="2"]A closer look at the Investigate User module[/title]

[surround]
[media width="150" description="Options available during an investigation" float="right"]data_custom/images/docs/tut_trace/trace_investigate_2.png[/media]
[media width="150" description="Starting an investigation" float="right"]data_custom/images/docs/tut_trace/trace_investigate_1.png[/media]
{!lookup:DOC_INVESTIGATE_USER}

{$IS_MAINTAINED,ip_tools,These tools are}:
 - [b]Reverse-DNS lookup[/b] - this will find try and find a domain name attached to the IP address.
 - [b]DNS lookup[/b] - this will find try and find a domain name attached to the IP address, and then the IP address attached to the domain name: with a second IP address, further analysis might be performed
 - [b]WHOIS query[/b] - this will try and find a domain name attached to the IP address, and then try to find real-world details about the registered owner of that domain name
 - [b]Ping[/b] - this will see if the computer with the IP address responds to &lsquo;pings&rsquo;; servers often will, but desktop computers rarely will
 - [b]Tracert[/b] - this will find the network route between the server that provides this web tool, and the server of the IP address; it provides an impression of the locality and connectivity of the associated computer
 - [b]Geo-lookup[/b] - this will try and find the geographical location of the IP address; it can be widely inaccurate however: for example, in the past UK AOL users have been shown as being located in the US
[/surround]

[concepts
 1_key="IP address"  1_value="Every computer connected to the Internet has an IP address of its own, although the IP address may change if that computer has 'rented' it via DHCP"
 2_key="DHCP"        2_value="Dynamic Host Configuration Protocol: a protocol that hands out IP addresses to computers on a network (including those connecting to the Internet), often arbitrarily"
 3_key="ISP"         3_value="An Internet Service Provider"
 4_key="Gateway"     4_value="A gateway routes packets between one network to another (e.g. between a network and the Internet) via NAT"
 5_key="NAT"         5_value="Network Address Translation. NAT allows two networks to communicate with IP addresses that a normal router could not have joined together"
 6_key="Firewall"    6_value="A computer/box that limits network traffic between networks; some firewalls are also routers"
 7_key="Proxy"       7_value="A proxy server allows computers on a network to connect to the Internet via special proxy server protocols that encapsulate requests; the proxy server then decodes and executes them, relaying the results"
 8_key="Router"      8_value="A router joins two networks; non-gateway routers actually join the networks such that all computers on a network being joined with the Internet become a part of the Internet themselves"
]Concepts[/concepts]

[title="2"]See also[/title]

 - [page="_SEARCH:tut_security"]Security[/page]
 - [page="_SEARCH:tut_censor"]Dealing with annoying users[/page]
 - [page="_SEARCH:tut_moderation"]Basic forum moderation[/page]
 - [page="_SEARCH:tut_members"]Composr member system[/page]
 - [page="_SEARCH:tut_legal"]Legal and social responsibilities[/page]
 - [page="_SEARCH:tut_antispam"]Anti-spam settings[/page]
 - [page="_SEARCH:sup_how_internet_works"]How the Internet actually works[/page]

{$SET,tutorial_tags,Security,securitylogging,Administration,regular}{$SET,tutorial_add_date,Aug 2008}{$SET,tutorial_summary,If you find a hacker, you may want to try and trace them back to a real world source. We introduce you to your toolkit.}[block]main_tutorial_rating[/block]
