Chomps
asked on
Outgoing Traffic shown in Router Log is Suspicious
I have noticed recently that my Outgoing Router Log (Linksys) has shown that my computer (Win 7 SP1, 64-bit OS) is contacting other devices with Private IP's beyond my router (using NAT) and before my building router. I am in a multi-dwelling building, so there is a gateway (10.3.1.254) for my building.
A traceroute from my computer (192.168.14.50) to google shows something like this:
Tracing route to www.google.com [74.125.224.244]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 10.3.1.254
2 2 ms 2 ms 1 ms 10.2.0.2
3 2 ms 2 ms 2 ms 38..........
etc....
My router IP - 10.3.0.45
Default Gateway - 10.3.1.254
Subnet Mask - 255.255.254.0
So, my Outgoing Router Log shows that my computer is trying to connect to other private IP's and Ports as follows:
10.3.0.100 Ports 9000 and 137
10.3.0.165 Ports 9000 and 137
10.3.0.209 Ports 9000 and 137
I tried pinging and tracert to these IP's but got no response.
Why would my computer be contacting other Private IP's that are beyond my router and behind my building's gateway router?
A traceroute from my computer (192.168.14.50) to google shows something like this:
Tracing route to www.google.com [74.125.224.244]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 10.3.1.254
2 2 ms 2 ms 1 ms 10.2.0.2
3 2 ms 2 ms 2 ms 38..........
etc....
My router IP - 10.3.0.45
Default Gateway - 10.3.1.254
Subnet Mask - 255.255.254.0
So, my Outgoing Router Log shows that my computer is trying to connect to other private IP's and Ports as follows:
10.3.0.100 Ports 9000 and 137
10.3.0.165 Ports 9000 and 137
10.3.0.209 Ports 9000 and 137
I tried pinging and tracert to these IP's but got no response.
Why would my computer be contacting other Private IP's that are beyond my router and behind my building's gateway router?
ASKER
192.168.14.50 is my internal computer IP, and the internal router IP is 192.168.14.1. My router is running NAT and the router external IP is 10.3.0.45.
So it is exactly as I assumed in http:#a39197795.
What about having Buffalo NAS in your (non-internal) network?
What about having Buffalo NAS in your (non-internal) network?
ASKER
The network external to my router is controlled by my ISP. I do not have a Buffalo NAS device, and I have no idea whether or not my ISP or another customer in my building has a Buffalo NAS device. I still don't understand why my computer would be trying to contact a Buffalo NAS device. Is there a service or protocol on my computer that I should look for?
I ran Network Monitor and found this:
Ipv4: Src = 10.3.0.100, Dest = 239.255.255.250, Next Protocol = UDP, Packet ID = 0, Total IP Length = 424
Udp: SrcPort = 1900, DstPort = 1900, Length = 404
http: Request, NOTIFY *
SSDP: Request, NOTIFY *
83 10:14:44 AM 5/26/2013 19.4907019 10.3.0.165 239.255.255.250 SSDP SSDP:Request, NOTIFY * {HTTP:39, UDP:38, IPv4:37}
101 10:14:57 AM 5/26/2013 33.0339170 10.3.0.209 239.255.255.250 SSDP SSDP:Request, NOTIFY * {HTTP:50, UDP:49, IPv4:48}
Any ideas?
I ran Network Monitor and found this:
Ipv4: Src = 10.3.0.100, Dest = 239.255.255.250, Next Protocol = UDP, Packet ID = 0, Total IP Length = 424
Udp: SrcPort = 1900, DstPort = 1900, Length = 404
http: Request, NOTIFY *
SSDP: Request, NOTIFY *
83 10:14:44 AM 5/26/2013 19.4907019 10.3.0.165 239.255.255.250 SSDP SSDP:Request, NOTIFY * {HTTP:39, UDP:38, IPv4:37}
101 10:14:57 AM 5/26/2013 33.0339170 10.3.0.209 239.255.255.250 SSDP SSDP:Request, NOTIFY * {HTTP:50, UDP:49, IPv4:48}
Any ideas?
Those are SSDP (UPnP, Universal Plug'n'Play) notifications. A destination of 239.* also suggests that, because it is a multicast address to be used for local devices propagating their services. Common scenarios are multimedia storage devices notifying you of shared content (e.g. the Windows Media Server does that).
Your PC might or might not respond to such requests. However, your local router should filter those requests, and you should never see them, as they are network local (i.e restricted to 10.3.0.0/23 (subnets 10.3.0.x and 10.3.1.x) or at least class A = 10.0.0.0/8 (subnets 10.*)).
Your PC might or might not respond to such requests. However, your local router should filter those requests, and you should never see them, as they are network local (i.e restricted to 10.3.0.0/23 (subnets 10.3.0.x and 10.3.1.x) or at least class A = 10.0.0.0/8 (subnets 10.*)).
ASKER
Thank you for all of the information, however, I am still not sure what to do about this situation. Is the problem with my router or my ISP?
My outgoing router logs show that both of my internal computers have tried to contact the IP's that I have mentioned:
10.3.0.100 Ports 9000 and 137
10.3.0.165 Ports 9000 and 137
10.3.0.209 Ports 9000 and 137
My outgoing router logs show that both of my internal computers have tried to contact the IP's that I have mentioned:
10.3.0.100 Ports 9000 and 137
10.3.0.165 Ports 9000 and 137
10.3.0.209 Ports 9000 and 137
It is your ISP's issue. If you are not interested in 10.3.x traffic (and I am sure you are not), you should not receive any. The ISP's gateway router should not broadcast that traffic to your router.
On the other hand, usually it is much easier to block multicasts and unwanted traffic at your own router. That you are able to receive that traffic is caused because you have a non-secured setup - your router should be isolated from the transfer network, and only receive "interesting" traffic (that is responses to requests from your location). That setup requires that your own router does all security filtering.
Having said that. I'm not clear about why you get traffic for different networks if your router applies NAT. NAT prohibits any broadcasting or multicasting with 239 IPs, unless explicitely forwarded.
On the other hand, usually it is much easier to block multicasts and unwanted traffic at your own router. That you are able to receive that traffic is caused because you have a non-secured setup - your router should be isolated from the transfer network, and only receive "interesting" traffic (that is responses to requests from your location). That setup requires that your own router does all security filtering.
Having said that. I'm not clear about why you get traffic for different networks if your router applies NAT. NAT prohibits any broadcasting or multicasting with 239 IPs, unless explicitely forwarded.
ASKER
Thank you for your response and sorry about the delay in responding, however I am having difficulty in understanding your response. I will give you full credit for the solution.
I am still not clear on why my internal computers would be trying to contact sockets on the network my ISP controls. Are you saying that it is an incorrect configuration with my ISP's gateway router? What sort of settings should they change?
Also you mentioned a non-secured setup with my router. What should I look for and what should be changed? I have the default settings, however, it is about a 6 year old Linksys. Are you saying that my router should prevent my internal 192.168.14....computers from trying to contact the 10.3.0... \9000 and 137 ports?
Additionally what services would be running on my internal computers that are trying to connect to the 10.3.0..... sockets on my ISP's network?
Thanks again for your assistance.
I am still not clear on why my internal computers would be trying to contact sockets on the network my ISP controls. Are you saying that it is an incorrect configuration with my ISP's gateway router? What sort of settings should they change?
Also you mentioned a non-secured setup with my router. What should I look for and what should be changed? I have the default settings, however, it is about a 6 year old Linksys. Are you saying that my router should prevent my internal 192.168.14....computers from trying to contact the 10.3.0... \9000 and 137 ports?
Additionally what services would be running on my internal computers that are trying to connect to the 10.3.0..... sockets on my ISP's network?
Thanks again for your assistance.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Port 9000 is used for Malware, but also for Buffalo Web Access.
Port 137 is used for WINS / NetBIOS Name Resolution.
That looks like there are management processes running wanting to access Buffalo NAS devices.