[Dshield] puzzled by FWIN entry

John Sage jsage at finchhaven.com
Sun Sep 14 08:20:56 GMT 2003

On Sat, Sep 13, 2003 at 09:50:53PM -0700, melvin smith wrote:
> Since I only own one computer and it is on a 
> dial-up internet connection, I can't understand
> why I am seeing firewall entries coming from 
> computers that have a 10.x.x.x IP addy.
> What gives here??         Mel.
> FWIN,2003/09/10,01:28:32-4:00
> GMT,,,ICMP (type:8/subtype:0)

You're being pinged (ICMP type 8, code 0) by:

And you're at:

Undoubtedly Nachi, given what's going on these days. I've seen over
1600 since I re-dialed about 4:00pm this afternoon..

> FWIN,2003/09/10,01:28:34-4:00GMT,,,TCP
> (flags:S)

Apparently, yes, someone either spoofed a packet with a source IP of, source port 80 and is trying to connect to your port
18336, **or** there is some weird sort of NAT'ing going on: some cable
systems do use 10.x.x.x numbers within local subnets. (but that
doesn't make any sense since you see pings clearly from a relatively
"local" neighbor at 67.75.x.x and 67.73.x.x...)

Actually the NAT'ing doesn't make any sense, since you see a UDP/DNS
response from a system outside your local subnet (below), and it's not

nmap can spoof source IP's and source ports, but of course it's hard
to understand the purpose of doing so.

> FWIN,2003/09/10,01:28:58-4:00
> GMT,,,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:30:00-4:00
> GMT,,,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:30:02-4:00GMT,,,TCP
> (flags:S)

> FWIN,2003/09/10,01:30:10-4:00
> GMT,,,ICMP (type:8/subtype:0) 

> FWIN,2003/09/10,01:30:14-4:00GMT,,,TCP
> (flags:S)

x.x.x.246 also...

> FWIN,2003/09/10,01:30:16-4:00
> GMT,,,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:31:42-4:00
> GMT,,,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:31:42-4:00GMT,,,TCP
> (flags:S) 

> FWIN,2003/09/10,01:31:46-4:00
> GMT,,,ICMP (type:8/subtype:0) 

> FWIN,2003/09/10,01:31:52-4:00
> GMT,,,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:31:56-4:00GMT,,,TCP
> (flags:S)

> FWIN,2003/09/10,01:32:00-4:00
> GMT,,,ICMP (type:8/subtype:0)

> FWIN,2003/09/10,01:32:40-4:00
> GMT,,,UDP 

[jsage at sparky /storage/snorts] $ host domain name pointer ns1.appleisp.net.

So that makes sense: ns1 indicates a nameserver..

[jsage at sparky /storage/snorts] $ dig @greatwall any appleisp.net
; <<>> DiG 9.2.1 <<>> @greatwall any appleisp.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48983
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;appleisp.net.                  IN      ANY
appleisp.net.           171936  IN      NS      ns1.appleisp.net.
appleisp.net.           171936  IN      NS      ns2.appleisp.net.
appleisp.net.           171936  IN      NS      ns2.appleisp.net.
appleisp.net.           171936  IN      NS      ns1.appleisp.net.
ns1.appleisp.net.       171936  IN      A
ns2.appleisp.net.       171936  IN      A

[jsage at sparky /storage/snorts] $ whois appleisp.net

BW whois 3.4 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2003 William E. Weinman

Request: appleisp.net

whois server for *.net is whois.crsnic.net ...
connected to whois.crsnic.net [] ...
connected to whois.itsyourdomain.com [] ...
 Domain: appleisp.net
 Registrant (SWS20-IYD-REG)
   So What Software
   18001 Sky Park Circle Suite D
   Irvine, CA 92614 US
   (null) (FAX)

- John
"Warning: time of day goes back, taking countermeasures."

John Sage
InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this message is privleged communication. If you read it
even though you aren't supposed to, you're a poopy-head.

More information about the list mailing list