Hi folks,
this question has been nagging at me for a while now, so I decided to sign up here and get the help of you guys.
The Context
I'm currently a mechanical engineer, but I'm very interested in IT and may even switch my career path if I manage to do so. I'm (not yet) a professional and just do some low-level hardware programming in my spare time, play around with GNU/Linux and try to broaden my horizon regarding network administration/security, with the latter being the source of my question.
The Scenario
Imagine I'd have a server of any kind connected to the internet, probably storing a large number of user account credentials. Imagine also that this server would be attacked (why and how is of no concern) and valuable private user data would be stolen.
To prevent further harm, it would be important to trace down the attackers as soon as possible in order to keep them from posting/selling the private data on the web or attacking more servers. After reporting the incident to the authorities there would be two simplified scenarios (provided the authorities were willing to pursue the case):
When you search the web for possibilities to be completely anonymous on the internet, the first search entries are usually links to blog posts á la "7 Ways To Be 100% Anonymous Online" describing stunning methods just like using Google DNS, proxies or VPN services for would-be software pirates .
If you dig a bit deeper and get to know how such things really work, it becomes obvious that they still don't provide anonymity at all. You can also find posts in forums where people describe why it doesn't work and can't work, mostly using the argument that investigators just need to access the logs of the VPN server used during the attack, which would reveal the true IP of the attacker. This is quite interesting, as people start to search for VPN providers that promise not to keep any logs - which lets me come to the core of the problem.
People assume they can do all sorts of activities as long as they use a VPN service that doesn't keep logs. Just for fun, let's assume there was a provider who really doesn't log server activity (though I'm pretty sure such providers don't exist).
The thing is, in my opinion there wouldn't even be the need for VPN server logs, as I'd just go to the ISP of the VPN provider and look at their logs. A connection to the server under attack would look like this:
Attacker -> ISP of Attacker -> Internet -> ISP of VPN -> VPN -> ISP of VPN -> Internet -> ISP of Server -> Server
As illustrated above, a connection via VPN is in fact just a pair of an incoming connection (from the attacker) and an outgoing connection (to the server). And this pair creates a relation between the actual IP of the attacker and the IP attacking the server.
The Question
Assuming my logic is not faulty, why is there the argument of VPN logs when in fact the logs of the ISP of the VPN will do just fine to identify anyone? Furthermore, why would anyone rely on VPNs, proxies (or chained variants) to attack a server? If the damage was severe enough and I wanted to catch them badly enough, it would still be only a matter of time until I caught them, regardless the method they used for obfuscation since the Internet Protocol always requires an address to identify where information is intended to go?
Note
Please note that this is an honest question; therefore I also expect only honest answers. There is also no need to explain to me how DNS, SSH, VPN, proxies, Tor and the like internally work since I've already read a lot about that. As for my use of English, I've invested quite a bit of time to phrase this post properly. However, please forgive occasional mistakes since it's not my mother tongue.
this question has been nagging at me for a while now, so I decided to sign up here and get the help of you guys.
The Context
I'm currently a mechanical engineer, but I'm very interested in IT and may even switch my career path if I manage to do so. I'm (not yet) a professional and just do some low-level hardware programming in my spare time, play around with GNU/Linux and try to broaden my horizon regarding network administration/security, with the latter being the source of my question.
The Scenario
Imagine I'd have a server of any kind connected to the internet, probably storing a large number of user account credentials. Imagine also that this server would be attacked (why and how is of no concern) and valuable private user data would be stolen.
To prevent further harm, it would be important to trace down the attackers as soon as possible in order to keep them from posting/selling the private data on the web or attacking more servers. After reporting the incident to the authorities there would be two simplified scenarios (provided the authorities were willing to pursue the case):
- Direct attack: Cunning as they were, the attackers decided to use their home Wi-Fi as a base for their operation. It would be quite easy to track them, since the investigators could simply ask the ISP of the attackers to reveal the identity of the owners based on date, time and IP.
- Indirect attack: The attackers were probably capable enough to use Google and find a solution to obscure their IP address. To keep it simple, let's assume they just used one of the many VPN services available for everyone to use. This would make things a bit harder for investigation, but nevertheless it still wouldn't be a big deal.
When you search the web for possibilities to be completely anonymous on the internet, the first search entries are usually links to blog posts á la "7 Ways To Be 100% Anonymous Online" describing stunning methods just like using Google DNS, proxies or VPN services for would-be software pirates .
If you dig a bit deeper and get to know how such things really work, it becomes obvious that they still don't provide anonymity at all. You can also find posts in forums where people describe why it doesn't work and can't work, mostly using the argument that investigators just need to access the logs of the VPN server used during the attack, which would reveal the true IP of the attacker. This is quite interesting, as people start to search for VPN providers that promise not to keep any logs - which lets me come to the core of the problem.
People assume they can do all sorts of activities as long as they use a VPN service that doesn't keep logs. Just for fun, let's assume there was a provider who really doesn't log server activity (though I'm pretty sure such providers don't exist).
The thing is, in my opinion there wouldn't even be the need for VPN server logs, as I'd just go to the ISP of the VPN provider and look at their logs. A connection to the server under attack would look like this:
Attacker -> ISP of Attacker -> Internet -> ISP of VPN -> VPN -> ISP of VPN -> Internet -> ISP of Server -> Server
As illustrated above, a connection via VPN is in fact just a pair of an incoming connection (from the attacker) and an outgoing connection (to the server). And this pair creates a relation between the actual IP of the attacker and the IP attacking the server.
The Question
Assuming my logic is not faulty, why is there the argument of VPN logs when in fact the logs of the ISP of the VPN will do just fine to identify anyone? Furthermore, why would anyone rely on VPNs, proxies (or chained variants) to attack a server? If the damage was severe enough and I wanted to catch them badly enough, it would still be only a matter of time until I caught them, regardless the method they used for obfuscation since the Internet Protocol always requires an address to identify where information is intended to go?
Note
Please note that this is an honest question; therefore I also expect only honest answers. There is also no need to explain to me how DNS, SSH, VPN, proxies, Tor and the like internally work since I've already read a lot about that. As for my use of English, I've invested quite a bit of time to phrase this post properly. However, please forgive occasional mistakes since it's not my mother tongue.
Last edited: