Solved

What in the world is the IP address 223.1.1.128?  I see it everywhere.

Posted on 2007-11-28
8
4,259 Views
Last Modified: 2013-12-04
I am working on an issue involving the NAT tables flooding on a router and I am seeing the IP address 223.1.1.128 showing up everywhere.  It is always the destination address for a connection on TCP 137 or 139.  The machines connecting to this address are servers.  

Some people have suggested that these machines are infected with malware or the like.  Fine, but I scanned the servers in question to make sure that is not the case.  If you google around you will see it shows up in many logs and whatnot.  In fact, it is referenced in several EE cases but it is never explained.

I also went to one of the servers in question and cannot find any of these connections in the netstat results.  Is this something to be ignored, something indicating configuration issues or something indicating viral/mal issues?
0
Comment
Question by:BBG-BBGM
8 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20368060
I think your workstations are infected, they are trying to connect to the host you have mentioned and the fill up your NAT table.
To solve the problem fast try do the following - on the input of the firewall drop all packets to ports (both tcp and udp)135-139, 445, unless your using windows networking outside your firewall
It is recommended solution from microsoft, to block mentioned ports on your firewall if you are using files and printers sharing ONLY within your local network
0
 
LVL 1

Author Comment

by:BBG-BBGM
ID: 20368134
Thanks for the reply, from_exp.  I'm not so certain that this is an infection because the only nodes that are generating these connections are Windows servers and we have a slightly complicated network topology.  (WAN involving 5 offices and 5 subnets over 2 different gateways.)  My guess is the 137/139 traffic is the servers playing 'master browser' wars like Windows servers like to do so much.

Back to the question:  What is 223.1.1.128?
No other external IPs are coming up.  Just 223.1.1.128.

Also, not only do we have SAV running on all servers and workstations.. but we scan for viruses at our gateways (cymphonix and sonicwall) as well.  
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20368303
it appears this address if IANA reserved
http://www.iana.org/assignments/ipv4-address-space
it means, your dealing with some sort of virus or trojan.
Unallocated addresses are used in some so called blackhole networks(networks with addresses that should not exist)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 18

Expert Comment

by:Johnjces
ID: 20373933
Root kit maybe? Hard to detect. Download Microsoft's rootkit revealer from

http://www.microsoft.com/technet/sysinternals/securityutilities.mspx

The output may be hard to decipher but with some help might show something. (Lot of other good tools there as well).

Also, is/are your machines actually connecting or just trying to connect. I tried scanning that address for open ports and found none yesterday. It could be timed.... I do not know.

John
0
 
LVL 1

Accepted Solution

by:
BBG-BBGM earned 0 total points
ID: 20474155
It was the default address assigned to the Sonicwall GVPN Virtual Adapter.  Thanks everybody for your helpful suggestions but this was it.
0
 
LVL 1

Expert Comment

by:Vee_Mod
ID: 20555472
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0
 

Expert Comment

by:Change2009
ID: 25425879
I had the same issue and I used your suggestion. eventhough the sonicwall VPN client TCP/IP was set for DHCP and it was not connected(enabled) but it was broadcasting 223.1.1.128 when we ping the server. I disabled the connection and the broadcast was stopped. Thank you for your founding.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SHA2 certs for IIS AND Java? 2 113
Security perspectives to assess for APIs 1 38
TL-R470T+ and Cisco ASA 2 21
Cannot take ownership of a folder 8 40
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question