Explanation on NAT diagnostics

We are using a Draytek Vigor2820 router.

The diagnostics of the NAT Active Sessions Table shows a strange information that we can not understand (see code).

Can anyone explain to us what is that we see here?
We can identify the normal port 80 and 53 sessions, but these other lines are all related to one private IP address (we renamed it to 99.9.9.99 on this list for security reasons). And also it seems this behavior moves to another private IP address within the system.

We are not network experts ... thus our knowledge on the area of ports is very basic.
We would appreciate any simple explanation and indication if we are dealing with some kind of threat or not.

Thanks in advance.

See code below
-------------------------------------------------------------------------------
     Private IP :Port #Pseudo Port         Peer IP :Port  Interface
-------------------------------------------------------------------------------
...
      99.9.9.99 12894        48232   86.210.102.11  6282    WAN2
      99.9.9.99 12894        48232  60.239.240.154 58038    WAN2
      99.9.9.99 12894        48232  98.247.228.235 22638    WAN2
      99.9.9.99 12894        48232  80.121.120.117 13674    WAN2
      99.9.9.99 12894        48232    80.98.248.72 10831    WAN2
      99.9.9.99 12894        48232    87.18.71.215 19681    WAN2
      99.9.9.99 12894        48232     77.21.58.30  7136    WAN2
      99.9.9.99 12894        48232  142.103.251.65 13351    WAN2
      99.9.9.99 12894        48232 206.188.159.204 53619    WAN2
      99.9.9.99 12894        48232    95.25.30.250  2763    WAN2
      99.9.9.99 12894        48232   94.253.24.209  8842    WAN2
      99.9.9.99 12894        48232   128.111.93.50 39955    WAN2
      99.9.9.99 12894        48232     76.23.192.8 63892    WAN2
      99.9.9.99 12894        48232   80.171.84.204 60401    WAN2
      99.9.9.99 12894        48232  91.156.135.243 16388    WAN2
      99.9.9.99 12894        48232     74.132.0.65 22887    WAN2
      99.9.9.99 12894        48232    24.68.254.67 28138    WAN2
      99.9.9.99 12894        48232   72.184.81.169 46908    WAN2
      99.9.9.99 12894        48232    98.145.93.53 47542    WAN2
      99.9.9.99 12894        48232   72.223.61.127 33086    WAN2
      99.9.9.99 12894        48232     87.97.40.14 46648    WAN2
      99.9.9.99 12894        48232  93.108.102.195 48338    WAN2
      99.9.9.99 12894        48232   67.82.173.167 33213    WAN2
      99.9.9.99 12894        48232   84.20.228.152 61193    WAN2
      99.9.9.99 12894        48232   93.80.117.239 34597    WAN2
      99.9.9.99 12894        48232  79.110.121.213 40419    WAN2
      99.9.9.99 12894        48232    84.2.210.122 43723    WAN2
      99.9.9.99 12894        48232   133.19.61.113 49107    WAN2
      99.9.9.99 12894        48232  201.82.208.247  5408    WAN2
      99.9.9.99 12894        48232   82.58.119.166 16575    WAN2
      99.9.9.99 12894        48232  125.101.32.118 52838    WAN2
      99.9.9.99 12894        48232  220.134.160.81 10399    WAN2
      99.9.9.99 12894        48232  140.247.62.172 27118    WAN2
      99.9.9.99 12894        48232   125.230.69.39 18084    WAN2
      99.9.9.99 12894        48232   89.134.51.175 20849    WAN2
      99.9.9.99 12894        48232      78.8.56.45  8563    WAN2
      99.9.9.99 12894        48232   216.119.15.11 33277    WAN2
      99.9.9.99 12894        48232   65.175.187.90 16835    WAN2
      99.9.9.99 12894        48232  84.193.245.207 58630    WAN2
      99.9.9.99 12894        48232   87.120.26.222 49102    WAN2
      99.9.9.99 12894        48232   84.228.212.72 29617    WAN2
      99.9.9.99 12894        48232  69.144.210.222 30043    WAN2
      99.9.9.99 12894        48232  81.220.203.234 10626    WAN2
      99.9.9.99 12894        48232    81.84.225.55 32909    WAN2
      99.9.9.99 12894        48232  81.202.109.245  2097    WAN2
      99.9.9.99 12894        48232   85.243.37.168 40036    WAN2
      99.9.9.99 12894        48232    98.217.188.6  8065    WAN2
      99.9.9.99 12894        48232   217.24.76.102 57008    WAN2
      99.9.9.99 12894        48232  80.121.120.196 13674    WAN2
      99.9.9.99 12894        48232  200.35.105.243 51825    WAN2
      99.9.9.99 12894        48232  67.176.166.245 52888    WAN2
      99.9.9.99 12894        48232     76.88.46.29 43874    WAN2
      99.9.9.99 12894        48232  95.158.133.152 22719    WAN2
      99.9.9.99 12894        48232  93.108.125.107 48338    WAN2
...

Open in new window

donamaroAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WiiredCommented:
One of your PC's may have become infected with Malware. Go here and download & Install Malwarebytes:  www.malwarebytes.org

Let that perform a scan and see if it finds and removes anything. If it does, check your logs again after. If it finds nothing, go to that PC and run fport, which will isolate port traffic and map it to its parenty process(s). Fport can be found here: http://www.foundstone.com/us/resources/termsofuse.asp?file=fport.zip
0
TCB1Commented:
My guess is that it's P2P traffic. But I don't know for sure.
0
decoleurCommented:
There could be a cause for concern by the very volume of communication directed at your local hosts. I would go to one of the active hosts and run TCPView form Sysinternals (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx) and see what application is listening on that port. I would then look to the corporate security policy to see if the application causing issues is allowed on the network and consider the exposure that P2P filesharing apps could do to the organization by having illegle filesharing on company assets or the potential for downloading infected software through the same channels. I will point out that there are some good uses of P2P but I feel that they are limited and should be narrowly defined for the corporate network.

hope this gives you some food for thought.

-t
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

nasirshCommented:
Looks like some software in your machine is trying to communicate with the internet and uploading or downloading files onto your pc. Scan your pc with a antivirus and spyware. and then check again. Also unplugg the pc from the router and check whether the abnormal behaviour still continues or not. If it continues then try different machines and check then.
0
donamaroAuthor Commented:
On the active host I have run TCPView form Sysinternals (see Code below) and it does give me any explanation of the mysterious sessions and strange ports that are being used from that IP address (see also code below).

Maybe someone else can see something .... I don't see it. Also I have checked any unknown P2P software but could not find any.

I have run Malwarebytes, and other anti-virus scans .... they found nothing.

The host is a notebook with Windows XP Professional SP3 that connects to a company network.

The I20XX you see on the list is a VOIP telephone application which is used by everyone in that company.

I still can not explain the sessions in the NAT listing with strange IP addresses and port numbers.
Does anyone have a clue?

Start listing TCPView:
 
ALG.EXE:3988	TCP	127.0.0.1:1028	0.0.0.0:0	LISTENING	
I20XX.EXE:4052	TCP	10.0.0.13:1188	10.0.0.254:3199	ESTABLISHED	
LSASS.EXE:1036	UDP	0.0.0.0:500	*:*		
LSASS.EXE:1036	UDP	0.0.0.0:4500	*:*		
SPOOLSV.EXE:2032	UDP	0.0.0.0:1031	*:*		
SVCHOST.EXE:1204	TCP	127.0.0.1:49100	0.0.0.0:0	LISTENING	
SVCHOST.EXE:1308	TCP	0.0.0.0:135	0.0.0.0:0	LISTENING	
SVCHOST.EXE:1452	UDP	127.0.0.1:123	*:*		
SVCHOST.EXE:1452	UDP	10.0.0.13:123	*:*		
SVCHOST.EXE:1784	UDP	10.0.0.13:1900	*:*		
SVCHOST.EXE:1784	UDP	127.0.0.1:1900	*:*		
System:4	TCP	0.0.0.0:445	0.0.0.0:0	LISTENING	
System:4	TCP	10.0.0.13:139	0.0.0.0:0	LISTENING	
System:4	UDP	10.0.0.13:137	*:*		
System:4	UDP	10.0.0.13:138	*:*		
System:4	UDP	0.0.0.0:445	*:*			
WINLOGON.EXE:980	UDP	127.0.0.1:1460	*:*	
 
End listing TCPView
 
Start NAT Sessions listing:
-------------------------------------------------------------------------------
     Private IP :Port #Pseudo Port         Peer IP :Port  Interface
-------------------------------------------------------------------------------
      10.0.0.13 19215        54556 219.105.206.105 17421    WAN1
      10.0.0.13 19215        54556   59.146.36.226 18089    WAN1
      10.0.0.13 19215        54556     83.86.2.158  7550    WAN1
      10.0.0.13 19215        54556    81.84.214.52 17957    WAN1
      10.0.0.13 19215        54556    85.138.46.66  1271    WAN1
      10.0.0.13 19215        54556    84.91.123.37 21647    WAN1
      10.0.0.13 19215        54556   213.91.227.16 61900    WAN1
      10.0.0.13 19215        54556    84.75.120.24  5396    WAN1
      10.0.0.13 19215        54556       58.8.35.5 43507    WAN1
      10.0.0.13 19215        54556   93.156.51.198  9479    WAN1
      10.0.0.13 19215        54556    75.97.57.154 55881    WAN1
      10.0.0.13 19215        54556 190.140.159.237 31296    WAN1
      10.0.0.13 19215        54556   122.107.86.52 35023    WAN1
      10.0.0.13 19215        54556  132.199.124.85 54083    WAN1
      10.0.0.13 19215        54556   68.229.251.31 16865    WAN1
      10.0.0.13 19215        54556 158.110.144.197 43635    WAN1
      10.0.0.13 19215        54556    82.81.14.205 33404    WAN1
      10.0.0.13 19215        54556    67.163.86.70 63404    WAN1
      10.0.0.13 19215        54556    83.99.253.97  2432    WAN1
      10.0.0.13 19215        54556   99.248.27.228 61449    WAN1
      10.0.0.13 19215        54556    85.181.37.81 29885    WAN1
      10.0.0.13 19215        54556   124.144.3.239 47551    WAN1
      10.0.0.13 19215        54556    24.71.235.42 12919    WAN1
      10.0.0.13 19215        54556   129.89.154.72 19370    WAN1
      10.0.0.13 19215        54556   61.227.168.76 43959    WAN1
      10.0.0.13 19215        54556  146.155.201.31 14676    WAN1
      10.0.0.13 19215        54556    87.198.32.92 47636    WAN1
      10.0.0.13 19215        54556   60.56.154.215 20660    WAN1
      10.0.0.13 19215        54556     87.7.62.122 42099    WAN1
      10.0.0.13 19215        54556    58.181.51.23 29373    WAN1
      10.0.0.13 19215        54556   82.154.156.90 49790    WAN1
      10.0.0.13 19215        54556    88.65.211.90 43767    WAN1
      10.0.0.13 19215        54556  82.154.157.230  2787    WAN1
 
End NAT Sessions listing

Open in new window

0
Keith AlabasterEnterprise ArchitectCommented:
I am not aware of any software that uses port 12894 for communication.
Have you actually debugged any of the packets through Net Monitor or Wireshark?
Have you taken any captures?

0
donamaroAuthor Commented:
"... Have you actually debugged any of the packets through Net Monitor or Wireshark?
Have you taken any captures?"

I am not familiar with these. I administer the router of the business, but my network knowledge is basically.

Could it be a bug of the Draytek Vigor2820 router? Although it is strange that it only happens with one PC.
0
Keith AlabasterEnterprise ArchitectCommented:
I doubt it.  two immediate options.

1. remove the broadcasting device, rebuild it and then redeploy it.
2. Block the traffic on the router - see if the user shouts as an application has stopped working.

You have done the donkey work by identifying which box is broadcasting - the last part is working out what causes it. If your debug skills are limited then letting someone else identify what stops may be far easier and quicker.

Keith
0
donamaroAuthor Commented:
After investigating further I think I have identified the "culprit" that is producing all these 'unknown' sessions (> 50 even >100). It is the Skype software.

I also found the following discussion thread that indicates the same situation:
http://forum.skype.com/lofiversion/index.php/t94675.html

Unfortunately this topic was discussed about two years ago ... and my impression is that Skype is still producing a great number of NAT sessions.

I will try now to uninstall and reinstall Skype (latest version) and see if it still continues to do the same.
0
Keith AlabasterEnterprise ArchitectCommented:
OK :)
0
donamaroAuthor Commented:
Unfortunately even after uninstalling and reinstalling the latest version of Skype .... the problem still persists. Even changing the port that Skype uses from 19215 to another port number ... it still produces lots of sessions at the same time.

Is there a reason why Skype does this? (is there a Skype zone here?)
Is it 'healthy' that an application opens all these sessions at the same time?
0
Keith AlabasterEnterprise ArchitectCommented:
My organisation will not touch Skype.
Hold on - I'll have a look for you
0
Keith AlabasterEnterprise ArchitectCommented:
There you go - found it.

I don't think we are going to get much further Don. It may be that you want to open another question directly in the Skype area. Skype is, by definition, a very chatty protocol.
0
TCB1Commented:
Skype is a p2p type app. So this sort of ip activty is to be expected. Is this causing problems for your network?
0
TCB1Commented:
If it's a bandwidth issue, then you could use a free program called traffic shaper xp to limit the bandwidth skype is allowed to use.

www.bandwidthcontroller.com
0
donamaroAuthor Commented:
It offered the best answer in response to my question
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Chat / IM

From novice to tech pro — start learning today.