Computerworld - The other day, our CIO forwarded me an e-mail from our general counsel's office, saying that one of our competitors was accusing us of what amounts to a directed denial-of-service attack.
The complaint was that we were making excessive requests to the competitor's public Web site, hitting its performance so hard that customers were unable to access it. The IP address involved in this attack did indeed belong to us; I recognized it as one of our proxy addresses. You see, all outbound connections made from inside our company are translated to a single public IP address controlled by our proxy servers.
My first thought was that someone had been spoofing our IP address, but first I had to check to see if any of our internal resources were responsible for any of the suspicious activity. In order to do that, I simply had one of my engineers search through the logs of our proxy server for the destination IP address.
Search Results
Surprisingly, the search led to the identification of a single IP address within our company. The dates and times matched up almost to the second with the logs provided by our competitor's network administrators. It was obvious now that one of our employees had been making connections to our competitor's Web site.
Next, we used the NBTSTAT utility within Windows to enumerate the machine name and the media access control (MAC) address. These are two important pieces of information in the incident-response process. Machine names in our company are set to the employee's log-on name, a method that usually makes it easy to identify which resource belongs to whom.
The MAC address is useful because I can have one of our network engineers search the switches' CAM (content addressable memory) tables for the MAC address. That would tell us the switch port involved, and we could then trace back to the office jack where the PC that was involved is attached.
In addition to identifying the employee tied to this IP address, we put a filter on our intrusion-detection system to watch for connections he made. What we observed seemed to be an automated connection from his desktop to the competitor's site every hour. After some discussion with our legal department and human resources, I ended up giving this guy a call.
Turns out his job is conducting competitive analysis. He uses a tool that lets him monitor all of our competitors' Web sites for changes to content. So, for example, if one of our competitors launched
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
