Solved

Outbound traffic on unknown ports to private IP addresses

Posted on 2003-11-17
9
833 Views
Last Modified: 2008-03-03
Hi,

I am noticing some strange activity on my firewall. There is outbound UDP traffic from two servers (both running Win2K Server & 1 running SQL 2000 & the other Exchange 2000). It is outbound from these servers to private addresses that so not exist on my internal network. The destination IP's are 192.168.32.1 and 192.168.100.1 The ports being used are mainly 1055, 1057 & 1058 but I have noticed 1518, 1520 & 1521 as well. Has anyone seen this before? I've checked virus/event and IIS logs and don't see anything unusual and everything is operating normally. Any suggestions as to what might be causing this would be appreciated.

Thanks,
Dawn
0
Comment
Question by:Dawn_Bl
9 Comments
 
LVL 19

Accepted Solution

by:
Dexstar earned 250 total points
ID: 9767184
Dawn_Bl:

> Any suggestions as to what might be causing this would be appreciated.

I would install "Network Monitor" that comes with W2K server on either or both of those machines and sniff the network traffic to see what the contents of these packets.

Here is information on how to set it up and use it:
http://support.microsoft.com/?kbid=243270

Hope That Helps,
Dex*
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9767516
Sometimes this sort of thing can happen if you have an overlap in DNS between your windows network and your ISP's network.  I had a heck of a time when I named one of my computers WIN98.  Turns out my ISP had one named the same thing, *and* they had put an entry in on their DNS server.  If my computer was turned on, things were fine, but if it wasn't (thus the broadcast for it would fail), my machine would find the DNS entry for WIN98 on my ISP's internal network and try to talk to it!  

Although I admit there are fairly short odds on it being the same thing, the symptoms would have been similar.  Since the ports you are report are above 1023, they may be the transitory ports used when first establishing a connection.  If you do have a similar situation, it could be that those devices used to talk to someone who used the same name as the device at those ip addresses.

A way longshot, but you did ask if we'd seen something similar...  :)

Either way, I'd still hook up the network monitor and take a look.  Also, try a netstat on the source boxes.  That should turn up some more information.

Good luck!
0
 
LVL 1

Expert Comment

by:riannuzzi
ID: 9767564
Do you have citrix or vpn clients? This can be the address they are using? It can also be spoofing... also the welchia virus creates tons of tcp exhaustion ... although you should run the welchia patch to make sure it is not on your syste,...
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9767913
While there's some activity on these ports in the wild, there's not much and don't correspond to any known vulnerabilities.

http://www.dshield.org/port_report.php?port=1055&recax=1&tarax=2&srcax=2&percent=N&days=40
http://www.dshield.org/port_report.php?port=1057&recax=1&tarax=2&srcax=2&percent=N&days=40
http://www.dshield.org/port_report.php?port=1058&recax=1&tarax=2&srcax=2&percent=N&days=40

You don't say what the source ports are... might be backscatter?
I'd get a sniff on those switchports to see what they're up to.



0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 35

Expert Comment

by:ShineOn
ID: 9768710
One thing to be very conscious of is that many of today's worms and virii will as first order of business disable local virus scans, so they don't get on any logs.

If you haven't kept absolutely current with your service packs and security hotfixes, and disabled all unnecessary services, you may have a worm or backdoor trojan that your antivirus isn't scanning and therefore not logging.  

If I were in your shoes, I would first run a web-based virus scan, like the one at http://housecall.trendmicro.com/ and follow that with a spyware/adware scan that also picks up trojans that virus scans bypass, like SpySweeper from www.webroot.com, if for no other reason than to ease my mind.  Also go visit www.blackviper.com to help you determine what services you can and should disable - not only will you be more secure, you will likely see an improvement in performance and stability.

If all of that comes up clean, and you have a reasonable comfort level of the security of your systems, but this traffic continues - I would then look at whether or not someone in your network is doing something along the lines of running a peer-to-peer file sharing program.  The reason I mention that is that you made note of 2 sets of 3 UDP ports.  Many file sharing programs not only use multiple UDP ports but also allow you to modify the UDP listeners to bypass things like packet filters.
0
 

Author Comment

by:Dawn_Bl
ID: 9770634
Thanks for all of the suggestions. I will try running a sniffer to get more details and report back.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9771035
A good free one can be found at www.ethereal.com
0
 

Author Comment

by:Dawn_Bl
ID: 9772992
Thank you for all of your help. I installed Network Monitor (and fought with it for awhile) and realized the traffic is coming from a laptop that is not part of our domain but is used for some remote administration purposes. It had some additional IP addresses on it from a few VMWare instances. I was only seeing the outbound because there was no route to the addresses not on our network. The remote admin app was trying to respond on all IPs.

Thanks again... Dawn
0
 

Expert Comment

by:qzzwrs
ID: 9773391
One thing I did at my work is to put an ACL on our internet Router and blocked all outbound Private address ranges. Theoretically they shouldn't be routed anyway, but since we syslog, our syslog will be notified if it happens.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now