Solved

What in the world is the IP address 223.1.1.128?  I see it everywhere.

Posted on 2007-11-28
8
4,256 Views
Last Modified: 2013-12-04
I am working on an issue involving the NAT tables flooding on a router and I am seeing the IP address 223.1.1.128 showing up everywhere.  It is always the destination address for a connection on TCP 137 or 139.  The machines connecting to this address are servers.  

Some people have suggested that these machines are infected with malware or the like.  Fine, but I scanned the servers in question to make sure that is not the case.  If you google around you will see it shows up in many logs and whatnot.  In fact, it is referenced in several EE cases but it is never explained.

I also went to one of the servers in question and cannot find any of these connections in the netstat results.  Is this something to be ignored, something indicating configuration issues or something indicating viral/mal issues?
0
Comment
Question by:BBG-BBGM
8 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20368060
I think your workstations are infected, they are trying to connect to the host you have mentioned and the fill up your NAT table.
To solve the problem fast try do the following - on the input of the firewall drop all packets to ports (both tcp and udp)135-139, 445, unless your using windows networking outside your firewall
It is recommended solution from microsoft, to block mentioned ports on your firewall if you are using files and printers sharing ONLY within your local network
0
 
LVL 1

Author Comment

by:BBG-BBGM
ID: 20368134
Thanks for the reply, from_exp.  I'm not so certain that this is an infection because the only nodes that are generating these connections are Windows servers and we have a slightly complicated network topology.  (WAN involving 5 offices and 5 subnets over 2 different gateways.)  My guess is the 137/139 traffic is the servers playing 'master browser' wars like Windows servers like to do so much.

Back to the question:  What is 223.1.1.128?
No other external IPs are coming up.  Just 223.1.1.128.

Also, not only do we have SAV running on all servers and workstations.. but we scan for viruses at our gateways (cymphonix and sonicwall) as well.  
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20368303
it appears this address if IANA reserved
http://www.iana.org/assignments/ipv4-address-space
it means, your dealing with some sort of virus or trojan.
Unallocated addresses are used in some so called blackhole networks(networks with addresses that should not exist)
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 18

Expert Comment

by:Johnjces
ID: 20373933
Root kit maybe? Hard to detect. Download Microsoft's rootkit revealer from

http://www.microsoft.com/technet/sysinternals/securityutilities.mspx

The output may be hard to decipher but with some help might show something. (Lot of other good tools there as well).

Also, is/are your machines actually connecting or just trying to connect. I tried scanning that address for open ports and found none yesterday. It could be timed.... I do not know.

John
0
 
LVL 1

Accepted Solution

by:
BBG-BBGM earned 0 total points
ID: 20474155
It was the default address assigned to the Sonicwall GVPN Virtual Adapter.  Thanks everybody for your helpful suggestions but this was it.
0
 
LVL 1

Expert Comment

by:Vee_Mod
ID: 20555472
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0
 

Expert Comment

by:Change2009
ID: 25425879
I had the same issue and I used your suggestion. eventhough the sonicwall VPN client TCP/IP was set for DHCP and it was not connected(enabled) but it was broadcasting 223.1.1.128 when we ping the server. I disabled the connection and the broadcast was stopped. Thank you for your founding.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question