HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.
Proud to be a PHP Open Source CMS
Learn more

ocPortal Tutorial: IP addresses and tracing users

Written by Chris Graham, ocProducts
If you find there is malicious activity on your website, you may feel the need to try and trace this activity back to a real world source, or the very least, to identify a troublesome computer.


Table of contents

  1. ocPortal Tutorial: IP addresses and tracing users
    1. Tracing users
    2. Tools at your disposal
    3. A closer look at the lookup module
    4. See also

Tracing users

Tip

Computers often have more than one IP address (one for each 'network interface', such as a network card or modem). If you want to find your own IP address, as ocPortal sees it, hold the mouse over the 'My Home' link in your personal block. A useful website is myIPaddress.com: What is my IP address? How do I find my IP address?.
Thumbnail: DNSstuff is a very useful website for looking into technical Internet related issues

DNSstuff is a very useful website for looking into technical Internet related issues
To trace users, you need to identify the computer performing the malicious action: unfortunately (from this perspective), the Internet is largely anonymous and decentralised, and without any clear legal authority to turn to. To some extent, a computer on the Internet can be identified by virtue of it's 'IP address' (Internet Protocol address); an IP address is a 4 byte piece of data (traditionally, although a new 6 byte standard has been worked on for a number of years now), represented usually in a human readable form of 4 numbers (0-255) separated by dot's. Usually, there are a number of different sources of IP addresses, however the decentralisation of the system can lead to abuse; these sources are:


Tip

To find out about your network settings on Windows, type 'ipconfig /all' at a command prompt (or winipcfg on Windows 9x [Windows 95, Windows 98, Windows ME]). On Linux, type 'ifconfig'.

  • ISP (Internet service provider) assigned IP addresses, via DHCP (dynamic host configuration protocol). These are provided to computers when they, or their Internet router, sign on to the Internet via an ISP). This is the most usual situation, and as these change, it can not be relied upon that a user will keep their address; however, addresses usually are similar, and can 'wild-carded' by the ocPortal IP ban feature. In addition, it is possible other users might at some point get that address, even though it is not very likely: if you place a ban on a wide range of addresses, such as 14.*.*.*, you are increasing the likelihood of a conflict to a dangerously high percentage, especially when the IP address belonged to a popular ISP.
  • ISP (Internet service provider) assigned fixed IP addresses. Some ISP's provide these, often at additional cost.
  • Local network IP address 10.0.*.* type (non-routeable [can't travel across the Internet] and open for anyone's local usage as it does not need to assigned by any authority, which means that something odd is happening if you find one of these)
  • Local network IP address 192.168.*.* type (non-routeable [can't travel across the Internet], and open for anyone's local usage as it does not need to assigned by any authority, which means that something odd is happening if you find one of these)
  • Localhost IP address, 127.0.0.1. If you see this, then the request came from the server, or the IP address was added to the ocPortal database arbitrarily by some code because the true one was not known (often importers do this).

Tip

To find out what your computer thinks the IP address of an Internet server is, try typing 'ping <server-domain-name>' at a command prompt. It may return the IP address.
There is a scheme of organisation of IP addresses such that they are leased in large blocks. The number of addresses in the blocks depend on what 'class' of block is being leased. This is outside the scope of this tutorial, except to make the point, that IP addresses belonging to the same computer network (often, an ISP, and hence, the network being all users of that ISP from a certain roughly geographic region) share a common address prefix.

There is a major problem with identifying users by IP address, and that is one of proxy 's and gateway 's (also known as, NAT [network address translation]). If a network is "behind" a server that makes Internet requests on their behalf, and relays information back using it's own internal algorithms, then all users of this server may be seen under a single IP address. ocPortal will try and detect the 'true' IP address, based on the information available, but we cannot guarantee this will be the case. AOL is renowned for using proxy servers, and will particularly jump rapidly between IP addresses when the AOL browser is used. For the gateway case, it is more than likely that a large school, for example, would use a gateway, rather than exposing all school computers to the Internet via their own IP addresses (in this sense, a NAT/gateway is a form of firewall).

Tools at your disposal

Thumbnail: Tools available in the Admin Zone security section

Tools available in the Admin Zone security section
Thumbnail: Tools available in the Admin Zone usage section

Tools available in the Admin Zone usage section
ocPortal provides a number of features for tracking IP addresses:
  • When a guest makes a post on OCF , the IP address is viewable by putting the mouse over the listed name of the guest poster (where the user-name of a real member usually resides).
  • For every page view, the IP address of the page viewer is stored. This allows detection of what areas of the site a viewer has visited, and in what order.
  • Whenever a submission is made, the IP address is stored. The submitter banning management interface shows these IP addresses in its drop-down list.

ocPortal provides modules for working with IP addresses:
  • The 'Lookup' module is the main tool for finding information about an IP address.
  • The 'Action Log' module can be used to quickly find out information from a submit that wasn't immediately available (for example, if a user submitted something without being logged-in and hence was not identified, but if by an IP address scan, they were in-fact identifiable). The module can also be used to ban or unban a submitter, based on both member (prevents the member submitting again) and IP address (prevents the IP address being used to access the site).
  • The 'IP banning' module can be used to enter IP addresses for banning, along with free-form notes

Thumbnail: Managing banned IP addresses

Managing banned IP addresses
Note that banned IP addresses are restricted from accessing ocPortal from a very earlier point. ocPortal does support banning of members based upon a user profile setting, which provides a 'You have been banned' style message. In addition, members may be placed in a banned user-group that has restricted privileges. To summarise, there are many types of banning:
  • member submission
  • IP address
  • member
  • banned user-group
in addition to various other punitive measures, such as removing rank, or charging points. See "Censorship and control of a community site" for more information.

Thumbnail: Choosing a member to view the action logs of

Choosing a member to view the action logs of
Thumbnail: Digging a submitter

Digging a submitter








A closer look at the lookup module

Thumbnail: Options available during an investigation

Options available during an investigation
Thumbnail: Starting an investigation

Starting an investigation
{!DOC_INVESTIGATE_USER}







Concepts

IP address
Every computer connected to the Internet has an IP address of it's own, although the IP address may change if that computer has 'rented' it via DHCP
DHCP
Dynamic Host Configuration Protocol: a protocol that hands out IP addresses to computers on a network (including those connecting to the Internet), often arbitarily
ISP
An Internet Service Provider
gateway
A gateway routes packets between one network to another (e.g. between a network and the Internet) via NAT
NAT
Network Address Translation. NAT allows two networks with IP addresses such that a normal router could not join them to communicate
firewall
A computer/box that limits network traffic between networks; some firewalls are also routers
proxy
A proxy server allows computers on a network to connect to the Internet via special proxy server protocols that encapsulate requestions; the proxy server then decodes and executes them, relaying the results
router
A router joins two networks; non-gateway routers actually join the networks such that all computers on a network being joined with the Internet become a part of the Internet themselves

See also