Topic: My box is sending out its internal IP address!

[nate]

Calling all you network security uber-gurus...

….should I be worried?

When I go to this web site: http://isc.sans.org/   they have a sniffer that detects my internal IP – not the public router address like it does everywhere else that sniffs me.  Also, only one machine does this?  From every other client on my network if I go to a site that says you IP is: blah.blah.blah.1  - it only sees my router (sme 6.01-01 w/smeplus).  However, from one client machine the Internet Storm Center’s port detector sees my internal address and get’s it right every time!   I talked to them and they said they looked at the browser headers and the proxy.  

The box is Win-XP Pro running IIS and SMTP. – BUT, …I have several of these that are exactly the same and this is the only one that is doing this.
 
(1)   Should I be worried / Pull the box off line?
(2)   What would push my 192.168.. address out on port 80?

 
 
Nate

[piran]

Nate: my best recommendation is that you need more underwear.
Until you've resolved the resources problem in the underwear department
don't even think about http://grc.com or http://dnsstuff.com or that your
email package is likely to put that address into the outgoing headers too.

[william_syd]

Where on that page is the sniffer?

I've seen having java/javascript enabled in your browser as being a cause of this.

[piran]

william_syd:
<Where on that page is the sniffer?>
...left sidebar near the top ("IP Lookup")?

[william_syd]

Looks more like a whois than a sniffer.

Interesting...

http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=1005293

[piran]

So... just a damp Squid;~)

[william_syd]

So... just a damp Squid;~)

damp Squid ?

[piran]

English humour... it was mildly amusing at that moment.
Correct spelling is 'damp squib'.
Exciting firework but but wasn't due to dampness, coupled with
an allusion to excessive worry and OP's underpants signature.

[nate]

Nate: my best recommendation is that you need more underwear.
Until you've resolved the resources problem in the underwear department
don't even think about http://grc.com or http://dnsstuff.com or that your
email package is likely to put that address into the outgoing headers too.

I guess the underwear comment is some kind of attempt at humor?  Thanks for the reply anyway...  BTW - The two sites you mention only see my public gateway!  206.176.229.195  Thats all I can ever see from the outside unless I VPN in?

[nate]

Looks more like a whois than a sniffer.

Interesting...

http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=1005293

 
Thank you for the reply.  However, the like above does not work for me.  
 
I spoke with someone from ISC and he told me about the Java issue, but assured me they were not using that method.  He could not figure it out either?  
 
- Nate

[piran]

* All controlled from home in my underwear using PPTP & VNC!  Cool

I guess the underwear comment is some kind of attempt at humor?

Well, you said it. My site's Squid also puts that (internal IP) into my email headers
too. Consider it a fact of life. Shouldn't matter to a properly set up server site as
it's a non-routable IP. Squid is really not something with which I'd want to mess.

[william_syd]

http://forums.dnsstuff.com/tool/post/dnsstuff/vpost?id=1005293

 
Thank you for the reply.  However, the like above does not work for me.  
 

Interesting.

Quoting the posts at the above link...

Hi Guys,

 

There is something very strange. I am using a NAT server to access internat from my computer, (Also use Squid as proxy server for web accessing). My computer address is something like 192.168.1.108 and the NAT server external address is 206.X.X.X. When I go to www.dnsstuff.com, it surprises me that it shows both the external ip address and my internal ip address. How does it figure out my internal ip address then? Any explanation for this?

 

Thanks in advance and have a nice day.

 

Nick.

The key is Squid.

With a normal web connection, it would be impossible to know your internal IP address (no matter what your firewall does); the internal IP can't be leaked.

However, web proxies were originally designed for ISPs, in which case the websites wanted to know what IP the user was using (the "client IP", so they could distinguish hits).  Therefore, Squid (and most other web proxies) are normally set up to give out the client IP.  In fact, if you were getting blocked from our site because someone else using the Squid proxy was attacking our site, we would only be able to add the proxy as a "trusted" proxy if the client IP was reported (but only if it was a public IP, so see below).

When used on a local network, though, using internal IPs, giving out the client IP often isn't desired.  It would normally only be beneficial in cases of abuse, so the abuser could be tracked down.  And it can provide the "bad guys" with information about your local network (that probably wouldn't be very useful, but might).

To get around this, you could set up Squid to not report the client IP.

a "normal" web-connection might detect your internal ip via java - have a look at http://serversniff.net/browser_header.php
to see such an applet in action. the applet has no problem to submit your private ip back to the originating webserver without you knowing it.

[boss_hog]

Hi guys,
this same issue was briefly discussed here:

http://forums.contribs.org/index.php?topic=29342.0

It didn't seem to cause Charlie any un-due concern.
Joe