Strange trace

[ihsir]

My firewall had picked up 7-8 attacks from 1 single computer which was also from the same ISP i have. It was infact from the same subnet.
I did a trace on it and found out that it was had systems from different countries - China,Taiwan,Turkey,USA in between.

Now my question is : if its OK then why otherwise what happened to the other system?

[IchNiSan]

I am very interested in looking at the logs that you have of this activity, and, I would also like to see the info which leads you to believe that this computer was in so many different countries. Sure there are possible explanations, but, it seems a bit odd that you can know that a particular computer moved around so much.

Please, Let us see the logs, and please don't obscure the IP addresses or any other info about the computer that you say is attacking you.

Not that I am a skeptic, or don't believe what you are saying, but, I would like the opportunity to look into it, and give some feedback.

IchNiSan

[Palemoon]

Well first off most routers and firewalls can pick off spoofed addys real fast, so I'd say the routers of your ISP are not configed right, or your firewall. What log from what firewall are you talking about, I'd like to see those logs myself be more specific within your comfort zone, or did someone trace you off the hops?

[littlefro]

it could be possible that some one is tunneling trough some one elses computer or using a trojan and launching attacks froma diffrent computer. that would explain why the attacks are comming from a computer on your subnet. but palemon is right we need more info before we can be sure about what is going on. like what firewall your using and the logs from it

[ihsir]

I dont have the firewall logs since i deleted them but I use ZA and I used Sam Spade to perform the 'traceroute' as well as 'whois' for each hop. In the subsequent 'whois' of the hops i found the computers of different countries. Also the number of hops were around 20 which made it a bit strange as usually they are around 2-5 for the same IP range.

right now I was scanned for netbios (5 times) by an IP from my subnet and the number of hops is 2

[owensleftfoot]

"I dont have the firewall logs since i deleted them but I use ZA and I used Sam Spade to perform the 'traceroute' as well as 'whois' for each hop. In the subsequent 'whois' of the hops i found the computers of different countries. Also the number of hops were around 20 which made it a bit strange as usually they are around 2-5 for the same IP range."

The internet is just one huge network made up of many networks. When someone sends a packet to you it travels through many nodes before it reaches you. So if someone wanted to attack your computer from south africa obviously the packets would have to travel through networks in many countries to get to your pc in India. Indeed TCP/IP has a "hands on" approach to routing. If someone was attacking you different packets could actually take different routes to your pc depending on servers down/bottlenecks etc.

[Tiger Shark]

If you tracert'ed the target and then whois'ed all the hops in between you will see lots of different countries listed if the taget is abroad. You will also find some different countries listed if the tracert stays within the US. There is an English company that owns a large part of the fibre? backbone in the US so if you were to whois a router on that backbone you will see it listed as being owned by a British company.

If, as you claim, the attacker was on the same subnet then a tracert would have given you very little and the routers would not have routed the packets outside the subnet. With that in mind I really question whether that IP is anywhere close to your subnet - assuming of course that you are referring to a C Class network, (XXX.XXX.XXX.0/24). It would be quite possible for a B Class, (XXX.XXX.0.0/16) to be in another country and an A Class, (XXX.0.0.0/8) would almost certainly hop international boundaries. But then they wouldn't really be considered as being on _your_ subnet.

Do the first three octals of the IP address attacking you match the first three octals of your IP?

[ihsir]

Well yes they were same, unfortunately i cant provide the logs of either the firewall or the trace since they got deleted but i remember that there was attempt to access thru netbios,http port,telnet,ftp and pings.

so any idea on what happened