Solved

What in the world is the IP address 223.1.1.128?  I see it everywhere.

Posted on 2007-11-28
8
4,261 Views
Last Modified: 2013-12-04
I am working on an issue involving the NAT tables flooding on a router and I am seeing the IP address 223.1.1.128 showing up everywhere.  It is always the destination address for a connection on TCP 137 or 139.  The machines connecting to this address are servers.  

Some people have suggested that these machines are infected with malware or the like.  Fine, but I scanned the servers in question to make sure that is not the case.  If you google around you will see it shows up in many logs and whatnot.  In fact, it is referenced in several EE cases but it is never explained.

I also went to one of the servers in question and cannot find any of these connections in the netstat results.  Is this something to be ignored, something indicating configuration issues or something indicating viral/mal issues?
0
Comment
Question by:BBG-BBGM
8 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20368060
I think your workstations are infected, they are trying to connect to the host you have mentioned and the fill up your NAT table.
To solve the problem fast try do the following - on the input of the firewall drop all packets to ports (both tcp and udp)135-139, 445, unless your using windows networking outside your firewall
It is recommended solution from microsoft, to block mentioned ports on your firewall if you are using files and printers sharing ONLY within your local network
0
 
LVL 1

Author Comment

by:BBG-BBGM
ID: 20368134
Thanks for the reply, from_exp.  I'm not so certain that this is an infection because the only nodes that are generating these connections are Windows servers and we have a slightly complicated network topology.  (WAN involving 5 offices and 5 subnets over 2 different gateways.)  My guess is the 137/139 traffic is the servers playing 'master browser' wars like Windows servers like to do so much.

Back to the question:  What is 223.1.1.128?
No other external IPs are coming up.  Just 223.1.1.128.

Also, not only do we have SAV running on all servers and workstations.. but we scan for viruses at our gateways (cymphonix and sonicwall) as well.  
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20368303
it appears this address if IANA reserved
http://www.iana.org/assignments/ipv4-address-space
it means, your dealing with some sort of virus or trojan.
Unallocated addresses are used in some so called blackhole networks(networks with addresses that should not exist)
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 18

Expert Comment

by:Johnjces
ID: 20373933
Root kit maybe? Hard to detect. Download Microsoft's rootkit revealer from

http://www.microsoft.com/technet/sysinternals/securityutilities.mspx

The output may be hard to decipher but with some help might show something. (Lot of other good tools there as well).

Also, is/are your machines actually connecting or just trying to connect. I tried scanning that address for open ports and found none yesterday. It could be timed.... I do not know.

John
0
 
LVL 1

Accepted Solution

by:
BBG-BBGM earned 0 total points
ID: 20474155
It was the default address assigned to the Sonicwall GVPN Virtual Adapter.  Thanks everybody for your helpful suggestions but this was it.
0
 
LVL 1

Expert Comment

by:Vee_Mod
ID: 20555472
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0
 

Expert Comment

by:Change2009
ID: 25425879
I had the same issue and I used your suggestion. eventhough the sonicwall VPN client TCP/IP was set for DHCP and it was not connected(enabled) but it was broadcasting 223.1.1.128 when we ping the server. I disabled the connection and the broadcast was stopped. Thank you for your founding.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question