Solved

Outgoing Traffic shown in Router Log is Suspicious

Posted on 2013-05-26
9
409 Views
Last Modified: 2013-08-14
I have noticed recently that my Outgoing Router Log (Linksys) has shown that my computer (Win 7 SP1, 64-bit OS) is contacting other devices with Private IP's beyond my router (using NAT) and before my building router.  I am in a multi-dwelling building, so there is a gateway (10.3.1.254) for my building.

A traceroute from my computer (192.168.14.50) to google shows something like this:

Tracing route to www.google.com [74.125.224.244]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  10.3.1.254
  2     2 ms     2 ms     1 ms  10.2.0.2
  3     2 ms     2 ms     2 ms  38..........
etc....

My router IP -        10.3.0.45
Default Gateway - 10.3.1.254
Subnet Mask      -   255.255.254.0

So, my Outgoing Router Log shows that my computer is trying to connect to other private IP's and Ports as follows:

10.3.0.100  Ports 9000 and 137
10.3.0.165  Ports 9000 and 137
10.3.0.209  Ports 9000 and 137

I tried pinging and tracert to these IP's but got no response.

Why would my computer be contacting other Private IP's that are beyond my router and behind my building's gateway router?
0
Comment
Question by:Chomps
  • 5
  • 4
9 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 39197795
There is something wrong with your IPs as you posted them. It is not possible for 192.168.14.50 to reach 10.3.0.45 directly. Your router certainly has a 192.168.14.x/24 address, and 10.3.0.45 is the "WAN" interface address then.

Port 9000 is used for Malware, but also for Buffalo Web Access.
Port 137 is used for WINS / NetBIOS Name Resolution.

That looks like there are management processes running wanting to access Buffalo NAS devices.
0
 

Author Comment

by:Chomps
ID: 39197825
192.168.14.50 is my internal computer IP, and the internal router IP is 192.168.14.1.  My router is running NAT and the router external IP is 10.3.0.45.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39197890
So it is exactly as I assumed in http:#a39197795.

What about having Buffalo NAS in your (non-internal) network?
0
 

Author Comment

by:Chomps
ID: 39197916
The network external to my router is controlled by my ISP.  I do not have a Buffalo NAS device, and I have no idea whether or not my ISP or another customer in my building has a Buffalo NAS device.  I still don't understand why my computer would be trying to contact a Buffalo NAS device.  Is there a service or protocol on my computer that I should look for?

I ran Network Monitor and found this:

Ipv4: Src = 10.3.0.100, Dest = 239.255.255.250, Next Protocol = UDP, Packet ID = 0, Total IP Length = 424
Udp: SrcPort = 1900, DstPort = 1900, Length = 404
http: Request, NOTIFY *
SSDP: Request, NOTIFY *

83      10:14:44 AM 5/26/2013      19.4907019            10.3.0.165      239.255.255.250      SSDP      SSDP:Request, NOTIFY *       {HTTP:39, UDP:38, IPv4:37}

101      10:14:57 AM 5/26/2013      33.0339170            10.3.0.209      239.255.255.250      SSDP      SSDP:Request, NOTIFY *       {HTTP:50, UDP:49, IPv4:48}

Any ideas?
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 68

Expert Comment

by:Qlemo
ID: 39197930
Those are SSDP (UPnP, Universal Plug'n'Play) notifications. A destination of 239.* also suggests that, because it is a multicast address to be used for local devices propagating their services. Common scenarios are multimedia storage devices notifying you of shared content (e.g. the Windows Media Server does that).
Your PC might or might not respond to such requests. However, your local router should filter those requests, and you should never see them, as they are network local (i.e restricted to 10.3.0.0/23 (subnets 10.3.0.x and 10.3.1.x) or at least class A = 10.0.0.0/8 (subnets 10.*)).
0
 

Author Comment

by:Chomps
ID: 39197982
Thank you for all of the information, however, I am still not sure what to do about this situation.  Is the problem with my router or my ISP?

My outgoing router logs show that both of my internal computers have tried to contact the IP's that I have mentioned:

10.3.0.100  Ports 9000 and 137
10.3.0.165  Ports 9000 and 137
10.3.0.209  Ports 9000 and 137
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39198141
It is your ISP's issue. If you are not interested in 10.3.x traffic (and I am sure you are not), you should not receive any. The ISP's gateway router should not broadcast that traffic to your router.
On the other hand, usually it is much easier to block multicasts and unwanted traffic at your own router. That you are able to receive that traffic is caused because you have a non-secured setup - your router should be isolated from the transfer network, and only receive "interesting" traffic (that is responses to requests from your location). That setup requires that your own router does all security filtering.

Having said that. I'm not clear about why you get traffic for different networks if your router applies NAT. NAT prohibits any broadcasting or multicasting with 239 IPs, unless explicitely forwarded.
0
 

Author Comment

by:Chomps
ID: 39358608
Thank you for your response and sorry about the delay in responding, however I am having difficulty in understanding your response.  I will give you full credit for the solution.

I am still not clear on why my internal computers would be trying to contact sockets on the network my ISP controls.  Are you saying that it is an incorrect configuration with my ISP's gateway router?  What sort of settings should they change?

Also you mentioned a non-secured setup with my router.  What should I look for and what should be changed?  I have the default settings, however, it is about a 6 year old Linksys.   Are you saying that my router should prevent my internal 192.168.14....computers from trying to contact the 10.3.0... \9000 and 137 ports?

Additionally what services would be running on my internal computers that are trying to connect to the 10.3.0..... sockets on my ISP's network?

Thanks again for your assistance.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39363265
As said, those packets you receive are service notifications. If you call out on the street you have free newspaper, some people will have a look at it, wont't they? This is the same; someone is saying there is a service, and some of your devices want to get more information about it.

Yes, this is a misconfiguration, unless it is intended - and I don't think so. Service notifications can be used to tell e.g. there is a Windows Media Server available, presenting multimedia stuff for streaming.

You need to tell your ISP they should NOT allow multicasts (239.*) to get thru the router/firewall.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MSP multi use software 4 111
Nexus OS - OSPF Command 3 50
Installation of Nessus Professional 5 82
RNC Hacking Question 6 31
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now