February 4th, 2005, 07:33 AM
connections routed through my computer....
I'm staying in a campus where we;ve got internet access in our rooms through a centralised gateway for the entire univ. Recently my firewall blocked some connections that were termed as 'routed' through my computer. What does this mean? I've checked at the website at zonelabs and it says that someone might have mistakenly or intentionally routed their connection through my computer. How is this done? Is it someone on the same LAN or can it be someone from outside? The thing is, one of them actually originated from the proxy server of our univ (10.65.0.42) and it's destination ip was my neighbour. Now, our ip's are no way related to each other. How can somebody actually route to my neighbour's computer through mine even though the ip addresses are totally different?
I've attached a pic of the zone alarm logs.
February 4th, 2005, 09:42 AM
Im gonna take a stab at this, but please correct me if Im wrong.
When a computer is looking for another computer it may not know where it is, so it asks the router. If the router doesnt know where it is it has a pre determined "default route" usually to another router. this is in hopes that the other router will know where the computer it wants is. now if they are using a hub, it may just be that one computer sent out a signal looking for ip aa.aa.aa.aa but it went to all computers, becasue well...thats what hubs do, they send everything to everyone. so if one routers default route goes to a hub and that hub just shoots out the info to everyone (including your computer). your firewall says "hey this isnt for me...*block*" so you get that error.
February 4th, 2005, 05:14 PM
The thing is that there are two kinds of messages that are shown in zone alarm- "incoming" and "routed". I always get "incoming" blocks. This is the first time that I got "routed" blocks. We've got switches in each of the student's quarters. People generally run netscanner to see if anything has been shared or not on other people's computers. Sometimes they just "ping" others. These are blocked by zone alarm. But I've never seen "routed" before. And the funniest thing is that the source of one of the routed connections is the proxy server on campus. I mean, why will anyone from the proxy server try to route something through my computer to someone else's? The proxy is the only way to connect to the internet. So, is it possible that it is someone from outside the network who is trying to gain access into our computers? If what you said about the router sending the packets to all the computers on the LAN is true then shouldn't it read "incoming" because it is meant for my computer rather than "routed" ?
[EDIT] One more thing.... if you see in the jpg that i've attached before, you will see two such lines:
source:10.65.0.42:37664 destination:10.137.3.2:80 and
Now, both of the source ips are proxy servers (both of them are actually the same server i don't know how) and the destination is my neighbour's. Don't the port numbers seem strange and also that he is connecting to my neighbour through me?
February 4th, 2005, 06:10 PM
XTC46, I think what you're describing is an ARP message, and in case of a hub, that arp message goes directly to all computers connected, but it still wouldn't explain the "routed" message (imho). If his machine got an arp request and it didn't match the ip address, it simply would not reply (even without the firewall).
What could have happened is that someone might have mistakenly identified you as the next route in the network (maybe as a result of DHCP?). Maybe a virus that is trying to connect to machines on the network? I'm not sure...
Also, the source (local) port numbers seem strange because the source port number does not make a difference in terms of connections. If you do netstat while loading www.yahoo.com in your browser, you'll notice a connection with an odd source port and www.yahoo.com with port 80 (or, if you're going through a proxy, you will see your proxy's address with the port number you're using, typically 1080).
February 4th, 2005, 07:02 PM
Actually, 1080 is the SOCKS port...8080 is the typical HTTP-ALTERNATE (and proxy) port.
But the point is correct.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
February 4th, 2005, 07:14 PM
A virus? on the central proxy server? I think that's a bit unlikely. They use some strange equipments in our campus and there's a whole army of people who are involved with the maintenance and upgradation. There's actually a whole department (different from the computer science dept) that takes care of it.
I'm sorry but what's DHCP? I'm new to this sort of thing. Does it have something to do with connecting the computers on the LAN?
Why would anyone need to route themselves through my computer? And also if they need to get to my neighbour?
February 4th, 2005, 08:02 PM
If in fact it was a virus, it is definitely not hard to change the source ip address of the packet to point to anything. This is how a DDoS attack works (in my limited understanding).
DHCP automatically generates ip addresses from a pool of available ones for you so that you don't have to manually type one in. They change over time and typically have an expiration date.
If your machine, for instance, became a "zombie" machine (not unlikely in a college dorm, as there are numerous security threats), attackers could use your computer to make it appear as though messages are coming from you instead of from them.
zencoder, thank you for the correction, you are correct sir.
Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
-- Homer S.
February 5th, 2005, 04:25 AM
So a DHCP gives us random ip addresses automatically. No. We've got fixed ip addresses. I think you're right. Maybe it is a virus from some computer on the LAN. After the day before yesterday, i haven't got another log of the sort again. I guess maybe it's fixed. Anyway thanks for the info.