Solved

Attack ?

Posted on 2011-09-10
10
492 Views
Last Modified: 2013-11-22
I have Windows 2003 router

I am having lot of drop on NIC with IP 10.0.1.254

When I run Windump I get following pakcets (9000 + pr/sec)

07:24:00.320690 IP 192.168.1.1.445 > 10.0.1.210.63136: R 781344400:781344400(0) win 0
07:24:00.320792 IP 192.168.1.1.445 > 10.0.1.210.63136: R 781344400:781344400(0) win 0

No interface have the IP 192.168.x.x and I am not using it anywhere
The IP 10.0.1.210 have not been online for more than 2 days.

This starts every several hours and it runs for about 10-20 min each time.

0
Comment
Question by:soffcec
  • 5
  • 4
10 Comments
 
LVL 10

Accepted Solution

by:
Arman Khodabande earned 400 total points
ID: 36516091
Is it "192.168.1.1.445"    or     "192.168.1.1:445" ?
if 445 is the port then :
it means that some packet has been sent from your computer (from445 port) to some computer with private ip address on your network(10.0.1.210:63136)


Technical description for port 445:

Services or applications using this port:File Sharing Protocols
Malicious services / applications:N/A

Among the new ports used by Windows 2000, Windows XP and Windows Server 2003, is TCP port 445 which is used for SMB over TCP.(service message block)
The port 445 is a service message block used for file sharing on Windows XP, 2000, 2003, ME, and other SAMBA-related connections. It is used by various operating systems to give security options at high levels.
The port 445 in inbound traffic scans the system typically for shared files that users outside try to harvest into the computer's system. This is blocked by port 445 to avoid the installation of malicious applications.
The Port 445 in outbound traffic, on the other hand, relies on the user_s consent. It scans and checks the files that the user uploads on the host system. It sends a verification protocol for the process to be safe for each computer.
The port 445 is commonly used for file-sharing. It connects the user to the server and vice versa. The port 445 is a typical file transfer security protocol to monitor the risk of overflow and program redundancy in sharing files. It is commonly used in network topology. Most router hardware are embedded with this protocol for its well secured firewall.
(copy/pasted from          http://www.pc-library.com/ports/tcp-udp-port/445/)


However the destination port on that computer is not a known port! you need to find out where the computer with 10.0.1.210 ip address is! And where is your information going!
As much as I know that IP is for private network and is not coming from outside of your network! so it's something near you.
I'm not familiar with network tracing and I'm just trying to give you a general help!
Ping that IP address to see if it's always online or not!
If you couldn't find out the matter, ask a network pro.
If you have any firewall software block that IP for now! (However it may be a trusted IP)
0
 

Author Comment

by:soffcec
ID: 36516540
it is 192.168.1.1.445, but i cant find out how this address can do anything because the router is routing from 10.0.10.x to 10.0.1.x and 192.168.1.1 should not been seen there.
 I know computer 10.0.1.210 and it has not been online for more than 2 days, and there has been no traffic from 10.0.1.210, only to it.
0
 
LVL 10

Assisted Solution

by:Arman Khodabande
Arman Khodabande earned 400 total points
ID: 36516967
As far as I know we do not have such an IP address 192.168.1.1.445 with 5 parts and the last number represents the port used for the connection.
And as the port is for SMB (some feature of windows server 2003) it may be a trusted action from the OS or the router itself!

The IP address 192.168.1.1 is usually the IP for your Router (check your default gateway). So the router is sending some data packets. (Maybe it's a normal checking procedure)

Please ping the IP 10.0.1.210  in cmd while the computer (10.0.1.210 ) is offline to see that is it returning packets or not.
Maybe some other computer has replaced that offline PC and is receiving data!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:soffcec
ID: 36517036
no computer is answaring 10.0.1.210,  and windump cannot see anything coming from it. All gateways are ok. N
0
 

Author Comment

by:soffcec
ID: 36517116
the fifth part of the ip number is the port number.
0
 
LVL 10

Assisted Solution

by:Arman Khodabande
Arman Khodabande earned 400 total points
ID: 36517715
So I don't think that is a dangerous action. However you can bock it via your firewall if uncomfortable.
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 100 total points
ID: 36538515
Do you have Virtual Machine running on the system? Or even VM application like VMWare or VirtualBox? Most of these application has 192.168.1.X range by default.
0
 

Author Comment

by:soffcec
ID: 36577044
It look like I have malfunction in one of my dslams, every time I cold restart the dslam, the attack stops.
0
 
LVL 10

Assisted Solution

by:Arman Khodabande
Arman Khodabande earned 400 total points
ID: 36578964
So it was more complicated than I could imagine ?!!!!
0
 
LVL 10

Expert Comment

by:Arman Khodabande
ID: 36591891
Good luck
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now