Solved

What in the world is the IP address 223.1.1.128?  I see it everywhere.

Posted on 2007-11-28
8
4,248 Views
Last Modified: 2013-12-04
I am working on an issue involving the NAT tables flooding on a router and I am seeing the IP address 223.1.1.128 showing up everywhere.  It is always the destination address for a connection on TCP 137 or 139.  The machines connecting to this address are servers.  

Some people have suggested that these machines are infected with malware or the like.  Fine, but I scanned the servers in question to make sure that is not the case.  If you google around you will see it shows up in many logs and whatnot.  In fact, it is referenced in several EE cases but it is never explained.

I also went to one of the servers in question and cannot find any of these connections in the netstat results.  Is this something to be ignored, something indicating configuration issues or something indicating viral/mal issues?
0
Comment
Question by:BBG-BBGM
8 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20368060
I think your workstations are infected, they are trying to connect to the host you have mentioned and the fill up your NAT table.
To solve the problem fast try do the following - on the input of the firewall drop all packets to ports (both tcp and udp)135-139, 445, unless your using windows networking outside your firewall
It is recommended solution from microsoft, to block mentioned ports on your firewall if you are using files and printers sharing ONLY within your local network
0
 
LVL 1

Author Comment

by:BBG-BBGM
ID: 20368134
Thanks for the reply, from_exp.  I'm not so certain that this is an infection because the only nodes that are generating these connections are Windows servers and we have a slightly complicated network topology.  (WAN involving 5 offices and 5 subnets over 2 different gateways.)  My guess is the 137/139 traffic is the servers playing 'master browser' wars like Windows servers like to do so much.

Back to the question:  What is 223.1.1.128?
No other external IPs are coming up.  Just 223.1.1.128.

Also, not only do we have SAV running on all servers and workstations.. but we scan for viruses at our gateways (cymphonix and sonicwall) as well.  
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20368303
it appears this address if IANA reserved
http://www.iana.org/assignments/ipv4-address-space
it means, your dealing with some sort of virus or trojan.
Unallocated addresses are used in some so called blackhole networks(networks with addresses that should not exist)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 18

Expert Comment

by:Johnjces
ID: 20373933
Root kit maybe? Hard to detect. Download Microsoft's rootkit revealer from

http://www.microsoft.com/technet/sysinternals/securityutilities.mspx

The output may be hard to decipher but with some help might show something. (Lot of other good tools there as well).

Also, is/are your machines actually connecting or just trying to connect. I tried scanning that address for open ports and found none yesterday. It could be timed.... I do not know.

John
0
 
LVL 1

Accepted Solution

by:
BBG-BBGM earned 0 total points
ID: 20474155
It was the default address assigned to the Sonicwall GVPN Virtual Adapter.  Thanks everybody for your helpful suggestions but this was it.
0
 
LVL 1

Expert Comment

by:Vee_Mod
ID: 20555472
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0
 

Expert Comment

by:Change2009
ID: 25425879
I had the same issue and I used your suggestion. eventhough the sonicwall VPN client TCP/IP was set for DHCP and it was not connected(enabled) but it was broadcasting 223.1.1.128 when we ping the server. I disabled the connection and the broadcast was stopped. Thank you for your founding.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
OfficeMate Freezes on login or does not load after login credentials are input.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now