What in the world is the IP address I see it everywhere.

I am working on an issue involving the NAT tables flooding on a router and I am seeing the IP address showing up everywhere.  It is always the destination address for a connection on TCP 137 or 139.  The machines connecting to this address are servers.  

Some people have suggested that these machines are infected with malware or the like.  Fine, but I scanned the servers in question to make sure that is not the case.  If you google around you will see it shows up in many logs and whatnot.  In fact, it is referenced in several EE cases but it is never explained.

I also went to one of the servers in question and cannot find any of these connections in the netstat results.  Is this something to be ignored, something indicating configuration issues or something indicating viral/mal issues?
Who is Participating?
BBG-BBGMConnect With a Mentor Author Commented:
It was the default address assigned to the Sonicwall GVPN Virtual Adapter.  Thanks everybody for your helpful suggestions but this was it.
I think your workstations are infected, they are trying to connect to the host you have mentioned and the fill up your NAT table.
To solve the problem fast try do the following - on the input of the firewall drop all packets to ports (both tcp and udp)135-139, 445, unless your using windows networking outside your firewall
It is recommended solution from microsoft, to block mentioned ports on your firewall if you are using files and printers sharing ONLY within your local network
BBG-BBGMAuthor Commented:
Thanks for the reply, from_exp.  I'm not so certain that this is an infection because the only nodes that are generating these connections are Windows servers and we have a slightly complicated network topology.  (WAN involving 5 offices and 5 subnets over 2 different gateways.)  My guess is the 137/139 traffic is the servers playing 'master browser' wars like Windows servers like to do so much.

Back to the question:  What is
No other external IPs are coming up.  Just

Also, not only do we have SAV running on all servers and workstations.. but we scan for viruses at our gateways (cymphonix and sonicwall) as well.  
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

it appears this address if IANA reserved
it means, your dealing with some sort of virus or trojan.
Unallocated addresses are used in some so called blackhole networks(networks with addresses that should not exist)
Root kit maybe? Hard to detect. Download Microsoft's rootkit revealer from


The output may be hard to decipher but with some help might show something. (Lot of other good tools there as well).

Also, is/are your machines actually connecting or just trying to connect. I tried scanning that address for open ports and found none yesterday. It could be timed.... I do not know.

Closed, 500 points refunded.
Community Support Moderator
I had the same issue and I used your suggestion. eventhough the sonicwall VPN client TCP/IP was set for DHCP and it was not connected(enabled) but it was broadcasting when we ping the server. I disabled the connection and the broadcast was stopped. Thank you for your founding.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.