“If a picture is worth a thousand words, then an example is
worth a thousand pictures. This article describes the actions taken
to investigate an actual security breach. To truly understand
the technical details of an incident, it is best to see the actual
data. The tricky part is how to present the data in a way that is
understandable while protecting the privacy of the parties
involved….”
“It all started when my friend Mac sent me an urgent email
asking for help in tracking down a security incident (see Sidebar
1). Mac was covering for the lead admin on the affected site and
was in a bit over his head. The abuse contact for his site had
received a complaint that someone from the site was harassing
people in an Internet relay chat room (see Sidebar 2). Apparently,
BNC was being used to mask the real IP address of the
offender.”
“BNC (BouNCe) is an IRC proxy daemon written by James Seter.
With it, users can bounce IRC traffic to mask the traffic’s
originating IP address.”
“BNC isn’t malicious code in and of itself. It can be used for
quite legitimate purposes, such as protecting a PC by covering its
real IP address with the address of a system better able to
withstand an attack. While this is a form of security through
obscurity, a little obscurity can be helpful, especially when
facing DoS attacks.”