in Meddling, X-Geek

Mystery host answers for mine

I decided yesterday morning to reflash my home firewall’s version of OpenWRT. This involved rebooting the router, of course, and when the router came up the friendly folks at Earthlink (or Time Warner Cable, depending on who runs the DHCP servers) had assigned my home cable modem a new IP address.

As I worked out a few issues with the new firmware, paring down modules and processes in order to make it all fit inside my modest little router, I decided to test the firewall rules to see whether things were working. From my server hosted outside of my network, I ran a simple nmap test to see which ports were open:

[root@tranquil /home/markt]# nmap -sT -P0 maestro.markturner.net

Starting Nmap 5.51 ( http://nmap.org ) at 2014-02-02 11:44 EST
Nmap scan report for maestro.markturner.net (24.40.133.50)
Host is up (0.035s latency).
rDNS record for 24.40.133.50: user-0c2h19i.cable.mindspring.com
Not shown: 955 closed ports, 40 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
587/tcp open submission
993/tcp open imaps
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds

That’s about what I expected, so I turned my attention to other issues, including running another test twenty minutes later:

[root@tranquil /home/markt]# nmap -sT -P0 maestro.markturner.net

Starting Nmap 5.51 ( http://nmap.org ) at 2014-02-02 12:04 EST
Nmap scan report for maestro.markturner.net (24.40.133.16)
Host is up (0.028s latency).
rDNS record for 24.40.133.16: user-0c2h18g.cable.mindspring.com
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
587/tcp open submission
593/tcp filtered http-rpc-epmap
993/tcp open imaps
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 38.88 seconds

For the second test you can see I’ve got a few other ports showing up (TCP 135, 139, 445). These are supposedly filtered by the ISP somewhere down the line (probably the cable modem-level) to block clueless Windows users from exposing their networks to teh Internets.

You can see that these tests produced different results. It what was the same about these results, however, that caught my eye!

Did you notice? In the first nmap test my home system appeared to answer at an IP address it was no longer using! Something answered on behalf of my old home IP address and I can absolutely say for certain that it wasn’t my home machine! It’s also interesting that the supposedly ISP-supplied blocks on the Windows ports (filtered TCP ports 135, 139, and 445) didn’t show up in the ghost response.

What is going on here? Why would I get a response for my home system when I know for sure my home system is not answering? Something smells very, very fishy here.

If I were conspiracy-minded (and you know I’m … uh … not, right?), I would wonder if someone had set up a proxy for my IP to carry out a man-in-the-middle attack or to snarf packets on the way to my home. I would also wonder if, when my home IP changed, the proxy IP didn’t catch the change in time to hide itself. That’s what I would wonder if I were conspiracy-minded. Good thing I can be certain that good, patriotic folks at the NSA wouldn’t dream of spying on honest, law-abiding Americans like me. Right? Right?

It looks for all the world that something very clearly mimicked my home server at a time when my home server wasn’t answering to that old IP address. If anyone has an better explanation I’d love to hear it.