We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Strange request from Svcs & Ctlr App for nonexistent IP

dmaceld asked
Medium Priority
Last Modified: 2013-11-16
Today ZoneAlarm popped up an alert that Services & Controller App wanted to accept connections from the private network address of Several times after it also wanted to accept a connection from I said no the first time so all subsequent have been blocked.

This is strange and worrisome because I only have three items on my private network, the router at, desktop at and a laptop at I'm connected to internet via DSL modem on the WAN port of the router. The modem is not visible on the network, and the laptop is not turned on. The router is serving as DHCP server, firewall, and NAT, and gateway.

Where can this nonexistent IP address be coming from? Has some outside intrusion made it's way past the router and presented itself as coming from & .175?

Here's the ZA log entries.

PE,2004/03/26,11:09:12 -6:00 GMT,Services and Controller app,,N/A
ACCESS,2004/03/26,11:13:28 -6:00 GMT,Services and Controller app was temporarily blocked from accepting a connection from the local zone (,N/A,N/A
ACCESS,2004/03/26,11:13:28 -6:00 GMT,Services and Controller app was temporarily blocked from accepting a connection from the local zone (,N/A,N/A
Watch Question

To interpret the alert.....

It's saying that IP:  (remote port 13568 <-- not important) wants to access

PORT 53 on your machine.

Port 53 is DNS.  Are you running a DNS server?  If not, and there's no reason any machine should be allowing other machines to look to your machine for DNS queries then you were ok to DENY access.

Not sure where that IP is coming from, spoofed maybe?  I kinda doubt it.  Are there any other devices in your configuration that may be "network aware" and is trying to contact a DNS servers.

If it continues, add the IP to your BLOCKED list in ZoneAlarm to prevent ANY access from that IP.


The ZA log says Svcs and Ctlr app wants to accept a connection from port 53 at two different IPs and .175. One attempt was from port 13568. The destination IP and port are blank in the log. If whatever it is was doing a DNS query to my machine the destination would be shown as Right?

See my other new comment about what is connected to the network.

Please confirm what your DNS settings are. Go to a command prompt and type ipconfig /all
Check to see if the rogue addresses are there (dns or wins or gateway - whatever)
If nothing there then double check your dsl modem for open NAT's etc.

Having reread your notes it almost sounds as if you have an incorrect subnet mask  set up.

To help us please provide

ipconfig /all
route print

In fact analsying them my help you.


Additional info:

I forgot to mention that I have a wireless access point connected at IP I got to thinking that maybe someone was trying to connect via wireless from outside. I checked my AP configuration and it is configured to accept connections ONLY from the MAC address of my laptop. If someone tries to get in from outside they shouldn't be able to, and I wouldn't see anything in ZA about it, right?

To reiterate, there are only four physical devices on the local network, my desktop at, the router at, the laptop at, and the AP at

The router does NAT so all normal traffic coming through appears to come from How on earth would S & C get a connection attempt from an IP that doesn't physically exist in my system?


Does this output from ipconfig help any? I don't find anything in it that does.

Windows 2000 IP Configuration
      Host Name . . . . . . . . . . . . : hagatha
      Primary DNS Suffix  . . . . . . . :
      Node Type . . . . . . . . . . . . : Broadcast
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : [local network name deleted]

Ethernet adapter Local Area Connection:
      Connection-specific DNS Suffix  . : [local network name deleted]
      Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI Fast Ethernet NIC
      Physical Address. . . . . . . . . : 00-0D-61-07-A2-E6
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IP Address. . . . . . . . . . . . :
      Subnet Mask . . . . . . . . . . . :
      Default Gateway . . . . . . . . . :
      DHCP Server . . . . . . . . . . . :
      DNS Servers . . . . . . . . . . . :
      Lease Obtained. . . . . . . . . . : Friday, March 26, 2004 8:05:42 AM
      Lease Expires . . . . . . . . . . : Friday, April 02, 2004 8:05:42 AM


Here's the output from route print.

Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 0d 61 07 a2 e6 ...... Realtek 8139-series PCI NIC                                                      
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        1        1        1        1        1        1        1
Default Gateway:
Persistent Routes:


I can't check anything on the DSL modem because it is on the WAN side of the router which is not visible on the local network. When I do configurations on it I have to reconnect it directly to the computer.

As far as NAT holes in the router's firewall I don't think so. The only opening I can find is permission for the router to respond to pings. DMZ is off, and all preinstalled games rules are off. I have added no other firewall rules.
192.168 isn't routable, though in connection with other packets network recon tools like nmap sometimes send decoy packets usinc spoofed rfc1918 addresses. Your log doesn't state the size of the packet so it's difficult to say it there was a payload, but I don't think it's unusual to see traffic with private IP addresses.


chicagoan, Can you elaborate re: decoy packets and spoofed addresses. Are you saying those spoofed addresses come through unfazed and that's what my computer sees?

Possibly related - my router log shows a whole batch of "SYN Flood attack detects."

Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Thanks for ipconfig and routes.
All looks ok.
I have a very similar setup and the only time I get Zone Alarm giving me an alert is if I have sent a request from my machine to a website ( or whatever ) and it is stopping the return.
This of course would mean your machine is sending stuff out you don't know about.
If you do a netstat -an it will show any open ports - please post.
Whenever something unusual is happening I do the following.

run netstat -an looking for unusual open ports
Run msconfig (or startupCPL) and uncheck everything - except stuff you have to have.
I use http://www.mlin.net/StartupCPL.shtml
Check IE settings and restore defaults. I always use blank for home page.
Start ie6 and reset security and advanced stuff to defaults - high security
With Zone Alarm or equivalent. Set to disable all traffic.
Disconnect from network - remove cable
Boot into safe mode - no networking
Do your virus scan
Do your adaware spybot etc
Zone alarm will alert you if PC is trying to communicate with the outside world. If so find out why.
KEY to all this is to be in SAFE mode / NETWORK unplugged.
Hope this helps
Do on each machine.

As mentioned I can replicate similar alerts on Zone Alarm by scanning my work ip addresses from outside.
The alerts are really no big deal in this case.
Finally, sometimes you have software on your machine that tries to connect to "mother ship". eg McAfee EPO constantly tries to connect to my work server - when I'm at home - and causes an alert.

Should you still believe that someone is trying to get in - disable all unnescessary services - most of them - see http://www.blackviper.com/WinXP/servicecfg.htm ( or http://www.blackviper.com) if not XP - are not required for simple internet use.


Ian, it looks like the situation is as chicagoan described. My router log shows my IP address was under a SYN flood attack at least twice today. One component of those attacks is IP spoofing.

This attack and the ZA response has convinced me that a s/w firewall on the computer is still worthwhile having even when you're behind a router hardware firewall.

I ran netstat as you requested. The only IP addresses in the report are those of this machine, i.e.,,, and

I'm going with chicagoan's answer. Thanks for your feedback.



After reviewing the CERT advisory and reading the documentation on the nmap web site it looks like this is what I saw today.

This experience has convinced me a s/w firewall has value, even in the presence of a router f/w. I hate to think what might have happened if I had blindly clicked on Yes when the alert came up because the request was supposedly coming from inside my trusted local network.

The question is:
How are these packets getting past your perimeter?


I'm certainly not expert in networking so maybe I misunderstand what the NMAP documentation is saying. I got the impression that somehow or other by packet splitting and other techniques NMAP can send packets into a private network that present themselves as coming from within the network.

Do I read too much into what the documentation discusses? If you haven't read it lately take a look. Maybe you or someone else can decipher and explain what must have actually happened.


I did have the router set to respond to pings. I've changed that so that should lessen the chance of being seen as a candidate for attack.


Part of what I thought was the answer has evaporated. I finally realized the SYN flood attack entries in my router log were from the GRC Shield's Up test I ran.

The log entries during the time of the strange IP visit are now gone. So, the source of the mysterious IP addresses remains elusive, unless it was from an NMAP probe that the router firewall didn't log.

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.