Solved

Strange request from Svcs & Ctlr App for nonexistent IP

Posted on 2004-03-26
16
2,386 Views
Last Modified: 2013-11-16
Today ZoneAlarm popped up an alert that Services & Controller App wanted to accept connections from the private network address of 192.168.7.175:13568. Several times after it also wanted to accept a connection from 192.168.7.170:53. I said no the first time so all subsequent have been blocked.

This is strange and worrisome because I only have three items on my private network, the router at 192.168.0.1, desktop at 192.168.0.101 and a laptop at 192.168.0.100. I'm connected to internet via DSL modem on the WAN port of the router. The modem is not visible on the network, and the laptop is not turned on. The router is serving as DHCP server, firewall, and NAT, and gateway.

Where can this nonexistent IP address be coming from? Has some outside intrusion made it's way past the router and presented itself as coming from 192.168.7.170 & .175?

Here's the ZA log entries.

PE,2004/03/26,11:09:12 -6:00 GMT,Services and Controller app,192.168.7.175:53,N/A
ACCESS,2004/03/26,11:13:28 -6:00 GMT,Services and Controller app was temporarily blocked from accepting a connection from the local zone (192.168.7.175:DNS).,N/A,N/A
ACCESS,2004/03/26,11:13:28 -6:00 GMT,Services and Controller app was temporarily blocked from accepting a connection from the local zone (192.168.7.170:DNS).,N/A,N/A
0
Comment
Question by:dmaceld
  • 10
  • 3
  • 2
  • +1
16 Comments
 
LVL 2

Expert Comment

by:TheBrothaULuv2H8
ID: 10691085
To interpret the alert.....

It's saying that IP:  192.168.7.175  (remote port 13568 <-- not important) wants to access

PORT 53 on your machine.

Port 53 is DNS.  Are you running a DNS server?  If not, and there's no reason any machine should be allowing other machines to look to your machine for DNS queries then you were ok to DENY access.

Not sure where that IP is coming from, spoofed maybe?  I kinda doubt it.  Are there any other devices in your configuration that may be "network aware" and is trying to contact a DNS servers.

If it continues, add the IP to your BLOCKED list in ZoneAlarm to prevent ANY access from that IP.

0
 

Author Comment

by:dmaceld
ID: 10691436
The ZA log says Svcs and Ctlr app wants to accept a connection from port 53 at two different IPs 192.168.7.170 and .175. One attempt was from port 13568. The destination IP and port are blank in the log. If whatever it is was doing a DNS query to my machine the destination would be shown as 192.168.0.101:53. Right?

See my other new comment about what is connected to the network.

0
 
LVL 6

Expert Comment

by:parkerig
ID: 10691552
Hi,
Please confirm what your DNS settings are. Go to a command prompt and type ipconfig /all
Check to see if the rogue addresses are there (dns or wins or gateway - whatever)
If nothing there then double check your dsl modem for open NAT's etc.

Having reread your notes it almost sounds as if you have an incorrect subnet mask  set up.

To help us please provide

ipconfig /all
route print

In fact analsying them my help you.
Cheers
Ian
0
 

Author Comment

by:dmaceld
ID: 10691557
Additional info:

I forgot to mention that I have a wireless access point connected at IP 192.168.0.50. I got to thinking that maybe someone was trying to connect via wireless from outside. I checked my AP configuration and it is configured to accept connections ONLY from the MAC address of my laptop. If someone tries to get in from outside they shouldn't be able to, and I wouldn't see anything in ZA about it, right?

To reiterate, there are only four physical devices on the local network, my desktop at 192.168.0.101, the router at 192.168.0.1, the laptop at 192.168.0.100, and the AP at 192.168.0.50.

The router does NAT so all normal traffic coming through appears to come from 192.168.0.1. How on earth would S & C get a connection attempt from an IP that doesn't physically exist in my system?

0
 

Author Comment

by:dmaceld
ID: 10691679
Does this output from ipconfig help any? I don't find anything in it that does.

Windows 2000 IP Configuration
      Host Name . . . . . . . . . . . . : hagatha
      Primary DNS Suffix  . . . . . . . :
      Node Type . . . . . . . . . . . . : Broadcast
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : [local network name deleted]

Ethernet adapter Local Area Connection:
      Connection-specific DNS Suffix  . : [local network name deleted]
      Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI Fast Ethernet NIC
      Physical Address. . . . . . . . . : 00-0D-61-07-A2-E6
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IP Address. . . . . . . . . . . . : 192.168.0.101
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.0.1
      DHCP Server . . . . . . . . . . . : 192.168.0.1
      DNS Servers . . . . . . . . . . . : 192.168.0.1
      Lease Obtained. . . . . . . . . . : Friday, March 26, 2004 8:05:42 AM
      Lease Expires . . . . . . . . . . : Friday, April 02, 2004 8:05:42 AM
0
 

Author Comment

by:dmaceld
ID: 10691703
Here's the output from route print.

============================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 0d 61 07 a2 e6 ...... Realtek 8139-series PCI NIC                                                      
============================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.101        1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.0.0    255.255.255.0    192.168.0.101   192.168.0.101        1
    192.168.0.101  255.255.255.255        127.0.0.1       127.0.0.1        1
    192.168.0.255  255.255.255.255    192.168.0.101   192.168.0.101        1
        224.0.0.0        224.0.0.0    192.168.0.101   192.168.0.101        1
  255.255.255.255  255.255.255.255    192.168.0.101   192.168.0.101        1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None
0
 

Author Comment

by:dmaceld
ID: 10691747
I can't check anything on the DSL modem because it is on the WAN side of the router which is not visible on the local network. When I do configurations on it I have to reconnect it directly to the computer.

As far as NAT holes in the router's firewall I don't think so. The only opening I can find is permission for the router to respond to pings. DMZ is off, and all preinstalled games rules are off. I have added no other firewall rules.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10691846
192.168 isn't routable, though in connection with other packets network recon tools like nmap sometimes send decoy packets usinc spoofed rfc1918 addresses. Your log doesn't state the size of the packet so it's difficult to say it there was a payload, but I don't think it's unusual to see traffic with private IP addresses.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:dmaceld
ID: 10691948
chicagoan, Can you elaborate re: decoy packets and spoofed addresses. Are you saying those spoofed addresses come through unfazed and that's what my computer sees?

Possibly related - my router log shows a whole batch of "SYN Flood attack detects."

0
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
ID: 10692018
>decoy packets
You can setup NMAP to send "decoy packets" with spoofed source addresses so that it appears to the you that you are being scanned by multiple hosts to obfuscate where the attack is originating from

>spoofed addresses
It's possible to craft a packet and forge the "return address" (source address).
This is almost always done with a SYN flood to make your computer "think" that a whole buncha other computers are trying to establish a connection.
http://www.cert.org/advisories/CA-1996-21.html
Modern systems can step up the rate at which half-open connections are closed to mitigate the problem and your soho router doesn't even open a connection, it just records the attempt.

0
 
LVL 6

Expert Comment

by:parkerig
ID: 10692712
Hi,
Thanks for ipconfig and routes.
All looks ok.
I have a very similar setup and the only time I get Zone Alarm giving me an alert is if I have sent a request from my machine to a website ( or whatever ) and it is stopping the return.
This of course would mean your machine is sending stuff out you don't know about.
If you do a netstat -an it will show any open ports - please post.
Whenever something unusual is happening I do the following.

run netstat -an looking for unusual open ports
Run msconfig (or startupCPL) and uncheck everything - except stuff you have to have.
I use http://www.mlin.net/StartupCPL.shtml
Check IE settings and restore defaults. I always use blank for home page.
Start ie6 and reset security and advanced stuff to defaults - high security
With Zone Alarm or equivalent. Set to disable all traffic.
Disconnect from network - remove cable
Boot into safe mode - no networking
Do your virus scan
Do your adaware spybot etc
Zone alarm will alert you if PC is trying to communicate with the outside world. If so find out why.
KEY to all this is to be in SAFE mode / NETWORK unplugged.
Hope this helps
Do on each machine.

As mentioned I can replicate similar alerts on Zone Alarm by scanning my work ip addresses from outside.
The alerts are really no big deal in this case.
Finally, sometimes you have software on your machine that tries to connect to "mother ship". eg McAfee EPO constantly tries to connect to my work server - when I'm at home - and causes an alert.

Should you still believe that someone is trying to get in - disable all unnescessary services - most of them - see http://www.blackviper.com/WinXP/servicecfg.htm ( or http://www.blackviper.com) if not XP - are not required for simple internet use.
Cheers
Ian
0
 

Author Comment

by:dmaceld
ID: 10692958
Ian, it looks like the situation is as chicagoan described. My router log shows my IP address was under a SYN flood attack at least twice today. One component of those attacks is IP spoofing.

This attack and the ZA response has convinced me that a s/w firewall on the computer is still worthwhile having even when you're behind a router hardware firewall.

I ran netstat as you requested. The only IP addresses in the report are those of this machine, i.e., 0.0.0.0, 192.168.0.101, and 127.0.0.1.

I'm going with chicagoan's answer. Thanks for your feedback.

Mac
0
 

Author Comment

by:dmaceld
ID: 10692975
chicagoan,
After reviewing the CERT advisory and reading the documentation on the nmap web site it looks like this is what I saw today.

This experience has convinced me a s/w firewall has value, even in the presence of a router f/w. I hate to think what might have happened if I had blindly clicked on Yes when the alert came up because the request was supposedly coming from inside my trusted local network.

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10693127
The question is:
How are these packets getting past your perimeter?
0
 

Author Comment

by:dmaceld
ID: 10695195
I'm certainly not expert in networking so maybe I misunderstand what the NMAP documentation is saying. I got the impression that somehow or other by packet splitting and other techniques NMAP can send packets into a private network that present themselves as coming from within the network.

Do I read too much into what the documentation discusses? If you haven't read it lately take a look. Maybe you or someone else can decipher and explain what must have actually happened.

http://www.insecure.org/nmap/data/nmap_manpage.html

I did have the router set to respond to pings. I've changed that so that should lessen the chance of being seen as a candidate for attack.


0
 

Author Comment

by:dmaceld
ID: 10700896
Part of what I thought was the answer has evaporated. I finally realized the SYN flood attack entries in my router log were from the GRC Shield's Up test I ran.

The log entries during the time of the strange IP visit are now gone. So, the source of the mysterious IP addresses remains elusive, unless it was from an NMAP probe that the router firewall didn't log.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now