[Dshield] puzzled by FWIN entry

mark rowlands mark.rowlands at mypost.se
Sun Sep 14 14:51:55 GMT 2003


Could it be nmap's decoy funtionality?

 
"Causes a decoy scan to be performed which makes it appear to the
remote  host that the host(s) you specify as decoys are scanning
the target network too.  Thus their IDS might report  5-10  port
scans from unique IP addresses, but they won't know which IP was
scanning them and which were innocent decoys.  While this can be
defeated  through  router  path  tracing, response-dropping, and
other "active" mechanisms, it is generally an  extremely  effec-
tive technique for hiding your IP address." 

Kind of dumb to use a non-routable addy for a decoy but who said
all hackers/wannabe's were smart?

Otoh, the isp I used to use, they used to use 10.x.x.x ddresses
internally for a while and when they reconfigured their net to use
"real" addresses, one or two hosts with multiple interfaces were
forgotten about (I guess) so they used to pop up now and again.


> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of John Sage
> Sent: Sunday, September 14, 2003 10:21 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] puzzled by FWIN entry
> 
> On Sat, Sep 13, 2003 at 09:50:53PM -0700, melvin smith wrote:
> > Since I only own one computer and it is on a dial-up internet 
> > connection, I can't understand why I am seeing firewall 
> entries coming 
> > from computers that have a 10.x.x.x IP addy.
> > What gives here??         Mel.
> > 
> > 
> > FWIN,2003/09/10,01:28:32-4:00
> > GMT,67.73.177.180:0,67.74.249.141:0,ICMP (type:8/subtype:0)
> 
> You're being pinged (ICMP type 8, code 0) by:
> dialup-67.73.177.180.Dial1.Chicago1.Level3.net.
> 
> And you're at:
> dialup-67.74.249.141.Dial1.Baltimore1.Level3.net.
> 
> Undoubtedly Nachi, given what's going on these days. I've 
> seen over 1600 since I re-dialed about 4:00pm this afternoon..
> 
> 
> > 
> FWIN,2003/09/10,01:28:34-4:00GMT,10.16.43.246:80,67.74.249.141:18336,T
> > CP
> > (flags:S)
> 
> Apparently, yes, someone either spoofed a packet with a 
> source IP of 10.16.43.246, source port 80 and is trying to 
> connect to your port 18336, **or** there is some weird sort 
> of NAT'ing going on: some cable systems do use 10.x.x.x 
> numbers within local subnets. (but that doesn't make any 
> sense since you see pings clearly from a relatively "local" 
> neighbor at 67.75.x.x and 67.73.x.x...)
> 
> Actually the NAT'ing doesn't make any sense, since you see a 
> UDP/DNS response from a system outside your local subnet 
> (below), and it's not NAT'ed..
> 
> nmap can spoof source IP's and source ports, but of course 
> it's hard to understand the purpose of doing so.
> 
> 
> > FWIN,2003/09/10,01:28:58-4:00
> > GMT,67.75.233.136:0,67.74.249.141:0,ICMP (type:8/subtype:0)
> 
> > FWIN,2003/09/10,01:30:00-4:00
> > GMT,67.73.148.49:0,67.74.249.141:0,ICMP (type:8/subtype:0)
> 
> > 
> FWIN,2003/09/10,01:30:02-4:00GMT,10.16.43.241:80,67.74.249.141:14967,T
> > CP
> > (flags:S)
> 
> > FWIN,2003/09/10,01:30:10-4:00
> > GMT,67.74.228.199:0,67.74.249.141:0,ICMP (type:8/subtype:0)
> 
> > 
> FWIN,2003/09/10,01:30:14-4:00GMT,10.16.43.246:80,67.74.249.141:18336,T
> > CP
> > (flags:S)
> 
> x.x.x.246 also...
> 
> 
> > FWIN,2003/09/10,01:30:16-4:00
> > GMT,67.74.230.56:0,67.74.249.141:0,ICMP (type:8/subtype:0)
> 
> > FWIN,2003/09/10,01:31:42-4:00
> > GMT,67.74.133.159:0,67.74.249.141:0,ICMP (type:8/subtype:0)
> 
> > 
> FWIN,2003/09/10,01:31:42-4:00GMT,10.16.43.241:80,67.74.249.141:14967,T
> > CP
> > (flags:S)
> 
> > FWIN,2003/09/10,01:31:46-4:00
> > GMT,67.75.56.189:0,67.74.249.141:0,ICMP (type:8/subtype:0)
> 
> > FWIN,2003/09/10,01:31:52-4:00
> > GMT,67.73.165.208:0,67.74.249.141:0,ICMP (type:8/subtype:0)
> 
> > 
> FWIN,2003/09/10,01:31:56-4:00GMT,10.16.43.246:80,67.74.249.141:18336,T
> > CP
> > (flags:S)
> 
> > FWIN,2003/09/10,01:32:00-4:00
> > GMT,67.74.65.158:0,67.74.249.141:0,ICMP (type:8/subtype:0)
> 
> > FWIN,2003/09/10,01:32:40-4:00
> > GMT,63.120.72.1:53,67.74.249.141:2343,UDP
> 
> [jsage at sparky /storage/snorts] $ host 63.120.72.1 
> 1.72.120.63.in-addr.arpa domain name pointer ns1.appleisp.net.
> 
> So that makes sense: ns1 indicates a nameserver..
> 
> [jsage at sparky /storage/snorts] $ dig @greatwall any appleisp.net
>  
> ; <<>> DiG 9.2.1 <<>> @greatwall any appleisp.net ;; global 
> options:  printcmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48983 ;; 
> flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
>  
> ;; QUESTION SECTION:
> ;appleisp.net.                  IN      ANY
>  
> ;; ANSWER SECTION:
> appleisp.net.           171936  IN      NS      ns1.appleisp.net.
> appleisp.net.           171936  IN      NS      ns2.appleisp.net.
>  
> ;; AUTHORITY SECTION:
> appleisp.net.           171936  IN      NS      ns2.appleisp.net.
> appleisp.net.           171936  IN      NS      ns1.appleisp.net.
>  
> ;; ADDITIONAL SECTION:
> ns1.appleisp.net.       171936  IN      A       63.120.72.1
> ns2.appleisp.net.       171936  IN      A       64.186.173.141
> 
> 
> [jsage at sparky /storage/snorts] $ whois appleisp.net
> 
> BW whois 3.4 by Bill Weinman (http://whois.bw.org/) Copyright 
> 1999-2003 William E. Weinman
> 
> Request: appleisp.net
> 
> whois server for *.net is whois.crsnic.net ...
> connected to whois.crsnic.net [198.41.3.54:43] ...
> connected to whois.itsyourdomain.com [63.85.86.19:43] ...
>  
>  Domain: appleisp.net
>  
>  Registrant (SWS20-IYD-REG)
>    So What Software
>    (null)
>    andy at SOWHATSOFTWARE.COM
>    18001 Sky Park Circle Suite D
>    Irvine, CA 92614 US
>    (null)
>    (null) (FAX)
> 
> 
> 
> - John
> --
> "Warning: time of day goes back, taking countermeasures."
> 
> John Sage
> InfoSec Groupie
> -
> ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
> -
> ATTENTION: this message is privleged communication. If you 
> read it even though you aren't supposed to, you're a poopy-head.
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 
> 




More information about the list mailing list