Link to home
Create AccountLog in
Avatar of Chomps
Chomps

asked on

Outgoing Traffic shown in Router Log is Suspicious

I have noticed recently that my Outgoing Router Log (Linksys) has shown that my computer (Win 7 SP1, 64-bit OS) is contacting other devices with Private IP's beyond my router (using NAT) and before my building router.  I am in a multi-dwelling building, so there is a gateway (10.3.1.254) for my building.

A traceroute from my computer (192.168.14.50) to google shows something like this:

Tracing route to www.google.com [74.125.224.244]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  10.3.1.254
  2     2 ms     2 ms     1 ms  10.2.0.2
  3     2 ms     2 ms     2 ms  38..........
etc....

My router IP -        10.3.0.45
Default Gateway - 10.3.1.254
Subnet Mask      -   255.255.254.0

So, my Outgoing Router Log shows that my computer is trying to connect to other private IP's and Ports as follows:

10.3.0.100  Ports 9000 and 137
10.3.0.165  Ports 9000 and 137
10.3.0.209  Ports 9000 and 137

I tried pinging and tracert to these IP's but got no response.

Why would my computer be contacting other Private IP's that are beyond my router and behind my building's gateway router?
Avatar of Qlemo
Qlemo
Flag of Germany image

There is something wrong with your IPs as you posted them. It is not possible for 192.168.14.50 to reach 10.3.0.45 directly. Your router certainly has a 192.168.14.x/24 address, and 10.3.0.45 is the "WAN" interface address then.

Port 9000 is used for Malware, but also for Buffalo Web Access.
Port 137 is used for WINS / NetBIOS Name Resolution.

That looks like there are management processes running wanting to access Buffalo NAS devices.
Avatar of Chomps
Chomps

ASKER

192.168.14.50 is my internal computer IP, and the internal router IP is 192.168.14.1.  My router is running NAT and the router external IP is 10.3.0.45.
So it is exactly as I assumed in http:#a39197795.

What about having Buffalo NAS in your (non-internal) network?
Avatar of Chomps

ASKER

The network external to my router is controlled by my ISP.  I do not have a Buffalo NAS device, and I have no idea whether or not my ISP or another customer in my building has a Buffalo NAS device.  I still don't understand why my computer would be trying to contact a Buffalo NAS device.  Is there a service or protocol on my computer that I should look for?

I ran Network Monitor and found this:

Ipv4: Src = 10.3.0.100, Dest = 239.255.255.250, Next Protocol = UDP, Packet ID = 0, Total IP Length = 424
Udp: SrcPort = 1900, DstPort = 1900, Length = 404
http: Request, NOTIFY *
SSDP: Request, NOTIFY *

83      10:14:44 AM 5/26/2013      19.4907019            10.3.0.165      239.255.255.250      SSDP      SSDP:Request, NOTIFY *       {HTTP:39, UDP:38, IPv4:37}

101      10:14:57 AM 5/26/2013      33.0339170            10.3.0.209      239.255.255.250      SSDP      SSDP:Request, NOTIFY *       {HTTP:50, UDP:49, IPv4:48}

Any ideas?
Those are SSDP (UPnP, Universal Plug'n'Play) notifications. A destination of 239.* also suggests that, because it is a multicast address to be used for local devices propagating their services. Common scenarios are multimedia storage devices notifying you of shared content (e.g. the Windows Media Server does that).
Your PC might or might not respond to such requests. However, your local router should filter those requests, and you should never see them, as they are network local (i.e restricted to 10.3.0.0/23 (subnets 10.3.0.x and 10.3.1.x) or at least class A = 10.0.0.0/8 (subnets 10.*)).
Avatar of Chomps

ASKER

Thank you for all of the information, however, I am still not sure what to do about this situation.  Is the problem with my router or my ISP?

My outgoing router logs show that both of my internal computers have tried to contact the IP's that I have mentioned:

10.3.0.100  Ports 9000 and 137
10.3.0.165  Ports 9000 and 137
10.3.0.209  Ports 9000 and 137
It is your ISP's issue. If you are not interested in 10.3.x traffic (and I am sure you are not), you should not receive any. The ISP's gateway router should not broadcast that traffic to your router.
On the other hand, usually it is much easier to block multicasts and unwanted traffic at your own router. That you are able to receive that traffic is caused because you have a non-secured setup - your router should be isolated from the transfer network, and only receive "interesting" traffic (that is responses to requests from your location). That setup requires that your own router does all security filtering.

Having said that. I'm not clear about why you get traffic for different networks if your router applies NAT. NAT prohibits any broadcasting or multicasting with 239 IPs, unless explicitely forwarded.
Avatar of Chomps

ASKER

Thank you for your response and sorry about the delay in responding, however I am having difficulty in understanding your response.  I will give you full credit for the solution.

I am still not clear on why my internal computers would be trying to contact sockets on the network my ISP controls.  Are you saying that it is an incorrect configuration with my ISP's gateway router?  What sort of settings should they change?

Also you mentioned a non-secured setup with my router.  What should I look for and what should be changed?  I have the default settings, however, it is about a 6 year old Linksys.   Are you saying that my router should prevent my internal 192.168.14....computers from trying to contact the 10.3.0... \9000 and 137 ports?

Additionally what services would be running on my internal computers that are trying to connect to the 10.3.0..... sockets on my ISP's network?

Thanks again for your assistance.
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer