[Dshield] puzzled by FWIN entry

John Sage jsage at finchhaven.com
Sun Sep 14 08:20:56 GMT 2003


On Sat, Sep 13, 2003 at 09:50:53PM -0700, melvin smith wrote:
> Since I only own one computer and it is on a 
> dial-up internet connection, I can't understand
> why I am seeing firewall entries coming from 
> computers that have a 10.x.x.x IP addy.
> What gives here??         Mel.
> 
> 
> FWIN,2003/09/10,01:28:32-4:00
> GMT,67.73.177.180:0,67.74.249.141:0,ICMP (type:8/subtype:0)

You're being pinged (ICMP type 8, code 0) by:
dialup-67.73.177.180.Dial1.Chicago1.Level3.net.

And you're at:
dialup-67.74.249.141.Dial1.Baltimore1.Level3.net.

Undoubtedly Nachi, given what's going on these days. I've seen over
1600 since I re-dialed about 4:00pm this afternoon..


> FWIN,2003/09/10,01:28:34-4:00GMT,10.16.43.246:80,67.74.249.141:18336,TCP
> (flags:S)

Apparently, yes, someone either spoofed a packet with a source IP of
10.16.43.246, source port 80 and is trying to connect to your port
18336, **or** there is some weird sort of NAT'ing going on: some cable
systems do use 10.x.x.x numbers within local subnets. (but that
doesn't make any sense since you see pings clearly from a relatively
"local" neighbor at 67.75.x.x and 67.73.x.x...)

Actually the NAT'ing doesn't make any sense, since you see a UDP/DNS
response from a system outside your local subnet (below), and it's not
NAT'ed..

nmap can spoof source IP's and source ports, but of course it's hard
to understand the purpose of doing so.


> FWIN,2003/09/10,01:28:58-4:00
> GMT,67.75.233.136:0,67.74.249.141:0,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:30:00-4:00
> GMT,67.73.148.49:0,67.74.249.141:0,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:30:02-4:00GMT,10.16.43.241:80,67.74.249.141:14967,TCP
> (flags:S)

> FWIN,2003/09/10,01:30:10-4:00
> GMT,67.74.228.199:0,67.74.249.141:0,ICMP (type:8/subtype:0) 

> FWIN,2003/09/10,01:30:14-4:00GMT,10.16.43.246:80,67.74.249.141:18336,TCP
> (flags:S)

x.x.x.246 also...


> FWIN,2003/09/10,01:30:16-4:00
> GMT,67.74.230.56:0,67.74.249.141:0,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:31:42-4:00
> GMT,67.74.133.159:0,67.74.249.141:0,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:31:42-4:00GMT,10.16.43.241:80,67.74.249.141:14967,TCP
> (flags:S) 

> FWIN,2003/09/10,01:31:46-4:00
> GMT,67.75.56.189:0,67.74.249.141:0,ICMP (type:8/subtype:0) 

> FWIN,2003/09/10,01:31:52-4:00
> GMT,67.73.165.208:0,67.74.249.141:0,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:31:56-4:00GMT,10.16.43.246:80,67.74.249.141:18336,TCP
> (flags:S)

> FWIN,2003/09/10,01:32:00-4:00
> GMT,67.74.65.158:0,67.74.249.141:0,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:32:40-4:00
> GMT,63.120.72.1:53,67.74.249.141:2343,UDP 

[jsage at sparky /storage/snorts] $ host 63.120.72.1
1.72.120.63.in-addr.arpa domain name pointer ns1.appleisp.net.

So that makes sense: ns1 indicates a nameserver..

[jsage at sparky /storage/snorts] $ dig @greatwall any appleisp.net
 
; <<>> DiG 9.2.1 <<>> @greatwall any appleisp.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48983
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
 
;; QUESTION SECTION:
;appleisp.net.                  IN      ANY
 
;; ANSWER SECTION:
appleisp.net.           171936  IN      NS      ns1.appleisp.net.
appleisp.net.           171936  IN      NS      ns2.appleisp.net.
 
;; AUTHORITY SECTION:
appleisp.net.           171936  IN      NS      ns2.appleisp.net.
appleisp.net.           171936  IN      NS      ns1.appleisp.net.
 
;; ADDITIONAL SECTION:
ns1.appleisp.net.       171936  IN      A       63.120.72.1
ns2.appleisp.net.       171936  IN      A       64.186.173.141


[jsage at sparky /storage/snorts] $ whois appleisp.net

BW whois 3.4 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2003 William E. Weinman

Request: appleisp.net

whois server for *.net is whois.crsnic.net ...
connected to whois.crsnic.net [198.41.3.54:43] ...
connected to whois.itsyourdomain.com [63.85.86.19:43] ...
 
 Domain: appleisp.net
 
 Registrant (SWS20-IYD-REG)
   So What Software
   (null)
   andy at SOWHATSOFTWARE.COM
   18001 Sky Park Circle Suite D
   Irvine, CA 92614 US
   (null)
   (null) (FAX)



- John
-- 
"Warning: time of day goes back, taking countermeasures."

John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privleged communication. If you read it
even though you aren't supposed to, you're a poopy-head.




More information about the list mailing list