Solved

Outgoing Traffic shown in Router Log is Suspicious

Posted on 2013-05-26
9
404 Views
Last Modified: 2013-08-14
I have noticed recently that my Outgoing Router Log (Linksys) has shown that my computer (Win 7 SP1, 64-bit OS) is contacting other devices with Private IP's beyond my router (using NAT) and before my building router.  I am in a multi-dwelling building, so there is a gateway (10.3.1.254) for my building.

A traceroute from my computer (192.168.14.50) to google shows something like this:

Tracing route to www.google.com [74.125.224.244]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  10.3.1.254
  2     2 ms     2 ms     1 ms  10.2.0.2
  3     2 ms     2 ms     2 ms  38..........
etc....

My router IP -        10.3.0.45
Default Gateway - 10.3.1.254
Subnet Mask      -   255.255.254.0

So, my Outgoing Router Log shows that my computer is trying to connect to other private IP's and Ports as follows:

10.3.0.100  Ports 9000 and 137
10.3.0.165  Ports 9000 and 137
10.3.0.209  Ports 9000 and 137

I tried pinging and tracert to these IP's but got no response.

Why would my computer be contacting other Private IP's that are beyond my router and behind my building's gateway router?
0
Comment
Question by:Chomps
  • 5
  • 4
9 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
There is something wrong with your IPs as you posted them. It is not possible for 192.168.14.50 to reach 10.3.0.45 directly. Your router certainly has a 192.168.14.x/24 address, and 10.3.0.45 is the "WAN" interface address then.

Port 9000 is used for Malware, but also for Buffalo Web Access.
Port 137 is used for WINS / NetBIOS Name Resolution.

That looks like there are management processes running wanting to access Buffalo NAS devices.
0
 

Author Comment

by:Chomps
Comment Utility
192.168.14.50 is my internal computer IP, and the internal router IP is 192.168.14.1.  My router is running NAT and the router external IP is 10.3.0.45.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
So it is exactly as I assumed in http:#a39197795.

What about having Buffalo NAS in your (non-internal) network?
0
 

Author Comment

by:Chomps
Comment Utility
The network external to my router is controlled by my ISP.  I do not have a Buffalo NAS device, and I have no idea whether or not my ISP or another customer in my building has a Buffalo NAS device.  I still don't understand why my computer would be trying to contact a Buffalo NAS device.  Is there a service or protocol on my computer that I should look for?

I ran Network Monitor and found this:

Ipv4: Src = 10.3.0.100, Dest = 239.255.255.250, Next Protocol = UDP, Packet ID = 0, Total IP Length = 424
Udp: SrcPort = 1900, DstPort = 1900, Length = 404
http: Request, NOTIFY *
SSDP: Request, NOTIFY *

83      10:14:44 AM 5/26/2013      19.4907019            10.3.0.165      239.255.255.250      SSDP      SSDP:Request, NOTIFY *       {HTTP:39, UDP:38, IPv4:37}

101      10:14:57 AM 5/26/2013      33.0339170            10.3.0.209      239.255.255.250      SSDP      SSDP:Request, NOTIFY *       {HTTP:50, UDP:49, IPv4:48}

Any ideas?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Those are SSDP (UPnP, Universal Plug'n'Play) notifications. A destination of 239.* also suggests that, because it is a multicast address to be used for local devices propagating their services. Common scenarios are multimedia storage devices notifying you of shared content (e.g. the Windows Media Server does that).
Your PC might or might not respond to such requests. However, your local router should filter those requests, and you should never see them, as they are network local (i.e restricted to 10.3.0.0/23 (subnets 10.3.0.x and 10.3.1.x) or at least class A = 10.0.0.0/8 (subnets 10.*)).
0
 

Author Comment

by:Chomps
Comment Utility
Thank you for all of the information, however, I am still not sure what to do about this situation.  Is the problem with my router or my ISP?

My outgoing router logs show that both of my internal computers have tried to contact the IP's that I have mentioned:

10.3.0.100  Ports 9000 and 137
10.3.0.165  Ports 9000 and 137
10.3.0.209  Ports 9000 and 137
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
It is your ISP's issue. If you are not interested in 10.3.x traffic (and I am sure you are not), you should not receive any. The ISP's gateway router should not broadcast that traffic to your router.
On the other hand, usually it is much easier to block multicasts and unwanted traffic at your own router. That you are able to receive that traffic is caused because you have a non-secured setup - your router should be isolated from the transfer network, and only receive "interesting" traffic (that is responses to requests from your location). That setup requires that your own router does all security filtering.

Having said that. I'm not clear about why you get traffic for different networks if your router applies NAT. NAT prohibits any broadcasting or multicasting with 239 IPs, unless explicitely forwarded.
0
 

Author Comment

by:Chomps
Comment Utility
Thank you for your response and sorry about the delay in responding, however I am having difficulty in understanding your response.  I will give you full credit for the solution.

I am still not clear on why my internal computers would be trying to contact sockets on the network my ISP controls.  Are you saying that it is an incorrect configuration with my ISP's gateway router?  What sort of settings should they change?

Also you mentioned a non-secured setup with my router.  What should I look for and what should be changed?  I have the default settings, however, it is about a 6 year old Linksys.   Are you saying that my router should prevent my internal 192.168.14....computers from trying to contact the 10.3.0... \9000 and 137 ports?

Additionally what services would be running on my internal computers that are trying to connect to the 10.3.0..... sockets on my ISP's network?

Thanks again for your assistance.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
As said, those packets you receive are service notifications. If you call out on the street you have free newspaper, some people will have a look at it, wont't they? This is the same; someone is saying there is a service, and some of your devices want to get more information about it.

Yes, this is a misconfiguration, unless it is intended - and I don't think so. Service notifications can be used to tell e.g. there is a Windows Media Server available, presenting multimedia stuff for streaming.

You need to tell your ISP they should NOT allow multicasts (239.*) to get thru the router/firewall.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now