Various logging schemes have been proposed by computer forensic researchers to make tracing spoofed IP packets easy for investigators. None of these have become widespread, though it would be trivial for your ISP to detect IP spoofing using egress filtering. This is typically done at the border of the network, so in a large network the precise attacker would be difficult to determine the precise origin of quiet/short transmissions, particularly after they have ended.

quis custodiet ipsos custodes

US Cyber Labs - quis custodiet ipsos custodes

Noisey activities such as DoS attacks can be traced without infrastructure or ISP support by flooding upstream routers and observing the effect on the attacker’s stream. However, transient spoofed communications will remain difficult to detect until IP logging is implemented at intermediate routers.

Some forensic “experts” appear to be lacking knowledge about network protocols, making ridiculous suggestions such as appending unique router id’s into packets. Of course, these can be spoofed by any compromised router, falsely implicating uninvolved parties.


Encapsulated traffic, such as proxies and IP over IP tunnels do not spoof source addresses, but rather scrub the source from packets at each bounce point. Long-lived connections can be traced by physically visiting (or compromising) each upstream bounce point. Dead connections can be traced if the next upstream bounce point is logged at the current bounce point. If not, the trail is cold.

Transient streams where the IP address is changed at each bounce point are at the very least difficult enough to trace that law enforcement won’t bother. Search the news; you won’t find any incidences of law enforcement tracking people down through bounces using amazing technical wizardy. This is not observation bias; law enforcement love to toot their own horn about their supposed feats in fighting “cybercrime”.


There is some speculation that various intelligence agencies are monitoring Internet traffic at the major ISP’s. This is more or less to be expected. What is disputed is how this affects Tor’s anonymity. Certainly, if TCP handshakes are recorded and retained, then it could be used to retroactively identify Tor users and users of other encapsulated proxies. This is the timingcorrelation attack most Tor users have heard about. While this is a very realhole in Tor’s security, the fact is that it is still an expensive attack to carry out, requiring a great deal of data retention or proactive action on the part of the attacker. It is highly unlikely that this will be used on pirates in the near future. More than likely, these capabilities are reserved for counter-terrorism and monitoring of identifiable domestic groups the government finds objectionable. There is no credible evidence of a timing attack successfully being carried out on Tor.


There is no credible information to suggest that LE are able to trace transient network traffic that has been bounced and scrubbed without fairly complete cooperation from all involved hosts, or massive data retention at the major ISP’s coupled with advanced traffic analysis. There is little evidence of law enforcement utilizing any kind of advanced traffic analysis or timing attacks, though the situation may change in the future.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: