North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Some very strange network behaviors

  • From: Stephen J. Wilcox
  • Date: Thu Sep 11 06:18:10 2003

Whoa stop press! You connected a computer to a public IP and zone alarm starts 
buzzing away.. FBI!

Depends on how the hotel system works, it may be broadcasting or doing some 
other IP weirdness, either way its not surprising. 

But there is no security threat from some left over packets from old TCP/IP 
sessions... as for the question on corporate security, I would hope that any 
connection to the Internet be it a corporate LAN or a travelling user on a 
remote network is done from a computer which has been adequately setup to be 
protected from the latest vulnerabilities and is locked down as much as 
possible, goes without saying!

This is one such way as you mention of how office networks with their fancy 
one stop, protects all ills firewalls are still succumb to viruses and other 
nasties. I'd assume your IT department enforces policies on regularly installing 
OS patches and updating local virus scanners as part of its security policy... 
right?

Steve

On Wed, 10 Sep 2003, Christopher Bird wrote:

> 
> I am not sure if this post belongs here, so I apologize if it does not.
> I have been experiencing some weirdness while traveling and wondered if
> the group has any insight into what seems to be a pretty ugly situation.
> 
> I am traveling and have my lap top with me. I am staying in a hotel that
> offers broadband support. There are 2 of us (with 2 lap tops) sharing a
> room. I acquire an internet connection and sign up for the service, so
> get an IP address. In my case that IP address is 12.44.189.24.
> 
> I disconnect my cable and pass it to my roommate. He plugs in and
> acquires IP address 12.44.189.47. He does the email thing for a while
> and then passes the cable back to me. Imagine my surprise when the
> network routes packets destined for his IP address (from his email
> server no less) to my computer. My firewall (Zone alarm) detects these
> incoming packets and blocks them since they are unsolicited.
> 
> In further analysis of the logs, I see that there are a large number of
> IP addresses that are packet destinations and routed to my computer Zone
> Alarm detects them and blocks them. According to Zone Alarm I am getting
> packets for destination IP addresses as follows:12.44.189.244.
> 12.44.189.178 12.44.189.181 12.189.44.244 and some others too. They are
> all port 80 requests, identified by Zone Alarm as TCP (flags:S).
> 
> This seems strange to me since they are arriving at an IP address that
> is different from mine. 
> 
> How can this happen? Is there the potential for a problem (I am thinking
> particularly about future guests who may not have the degree of
> protection (limited though it is) that Zone Alarm is affording me.)?
> 
> This then got me thinking about corporate security. If I have taken my
> laptop and put it on an external network (e.g. the hotel network) what
> protections can I realistically expect, and what should my corporate IT
> department do to make sure my compute hasn't contracted something nasty
> while it was away from home. I could see that the kind of network
> behavior that I observed could infect a less well protected computer and
> thus cause me to bring an infection back to my office where it can
> attack from behind the corporate shields and firewalls.
> 
> Any comments would be very welcome.
> 
> Regards
> 
> Chris Bird
> 
>