Tracing the Origin of IP Addresses

In the Tendenci eventlogs you will see several IP addresses. IP Addresses identify the computer a particular activity allegedly took place on.

The server IP address is used to identify which server is the host for your web site. Because the servers are behind a firewall (like all servers these days) this will be an internal IP address that does not resolve directly on the Internet. Call for more on that.

The "user IP Address" is the computer doing the action (most of the time, more on this below).

A few things you can do with the "user IP Address" include.
  1. Use a trace application like NeoTrace to determine the probable location of the originating IP address. Neotrace does a nice job of visually showing you the "hops" between your computer and the destination. I like Neotrace to quickly determine where latency, the slow downs, are occurring. This explains why a web site can be fast for one person but slow for another - they paths are different and a bottleneck exists for one of the two people.
  2. Use a command line utility like tracert to or ping to see if that IP address responds. Most computers will NOT reply to a ping but tracert works on numerous networks at least up until the gateway. The wikipedia page on tracert is helpful with tracert examples.
  3. Use sites like the ones below to learn more about the IP address owner. Of course you have no way of knowing the location prior to doing a look up, but the good news is ARIN will point you at Apnic if it doesn't own the IP address itself. So here are two starting points.
    1. to look up who owns a given IP Address in the Americas.
    2. to look up who owns a given IP Address in Asia.
  4. You can test how your own IP Address looks on the Internet using Gibson Research's Shields Up web test utility. This won't give you any information about your Tendenci site, but it is very informative and a great place to start to learn more about IP Address security.
A few other thoughts - most attacks and nefarious activity on your site will be from spoofed IP addresses (meaning faked) or from zombie computers that are carrying out the orders of another computer entirely. In other words, pretty much you lose without calling in a network administrator.

Still - you can do preliminary research and record links (links!) to relevant content. Just don't bet the farm on the accuracy of your research. Things are not as they appear on the Internet unfortunately. So do some research and then call in your ISP to let them continue the defense.