?
Solved

Outgoing Traffic shown in Router Log is Suspicious

Posted on 2013-05-26
9
Medium Priority
?
442 Views
Last Modified: 2013-08-14
I have noticed recently that my Outgoing Router Log (Linksys) has shown that my computer (Win 7 SP1, 64-bit OS) is contacting other devices with Private IP's beyond my router (using NAT) and before my building router.  I am in a multi-dwelling building, so there is a gateway (10.3.1.254) for my building.

A traceroute from my computer (192.168.14.50) to google shows something like this:

Tracing route to www.google.com [74.125.224.244]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  10.3.1.254
  2     2 ms     2 ms     1 ms  10.2.0.2
  3     2 ms     2 ms     2 ms  38..........
etc....

My router IP -        10.3.0.45
Default Gateway - 10.3.1.254
Subnet Mask      -   255.255.254.0

So, my Outgoing Router Log shows that my computer is trying to connect to other private IP's and Ports as follows:

10.3.0.100  Ports 9000 and 137
10.3.0.165  Ports 9000 and 137
10.3.0.209  Ports 9000 and 137

I tried pinging and tracert to these IP's but got no response.

Why would my computer be contacting other Private IP's that are beyond my router and behind my building's gateway router?
0
Comment
Question by:Chomps
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 39197795
There is something wrong with your IPs as you posted them. It is not possible for 192.168.14.50 to reach 10.3.0.45 directly. Your router certainly has a 192.168.14.x/24 address, and 10.3.0.45 is the "WAN" interface address then.

Port 9000 is used for Malware, but also for Buffalo Web Access.
Port 137 is used for WINS / NetBIOS Name Resolution.

That looks like there are management processes running wanting to access Buffalo NAS devices.
0
 

Author Comment

by:Chomps
ID: 39197825
192.168.14.50 is my internal computer IP, and the internal router IP is 192.168.14.1.  My router is running NAT and the router external IP is 10.3.0.45.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 39197890
So it is exactly as I assumed in http:#a39197795.

What about having Buffalo NAS in your (non-internal) network?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:Chomps
ID: 39197916
The network external to my router is controlled by my ISP.  I do not have a Buffalo NAS device, and I have no idea whether or not my ISP or another customer in my building has a Buffalo NAS device.  I still don't understand why my computer would be trying to contact a Buffalo NAS device.  Is there a service or protocol on my computer that I should look for?

I ran Network Monitor and found this:

Ipv4: Src = 10.3.0.100, Dest = 239.255.255.250, Next Protocol = UDP, Packet ID = 0, Total IP Length = 424
Udp: SrcPort = 1900, DstPort = 1900, Length = 404
http: Request, NOTIFY *
SSDP: Request, NOTIFY *

83      10:14:44 AM 5/26/2013      19.4907019            10.3.0.165      239.255.255.250      SSDP      SSDP:Request, NOTIFY *       {HTTP:39, UDP:38, IPv4:37}

101      10:14:57 AM 5/26/2013      33.0339170            10.3.0.209      239.255.255.250      SSDP      SSDP:Request, NOTIFY *       {HTTP:50, UDP:49, IPv4:48}

Any ideas?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 39197930
Those are SSDP (UPnP, Universal Plug'n'Play) notifications. A destination of 239.* also suggests that, because it is a multicast address to be used for local devices propagating their services. Common scenarios are multimedia storage devices notifying you of shared content (e.g. the Windows Media Server does that).
Your PC might or might not respond to such requests. However, your local router should filter those requests, and you should never see them, as they are network local (i.e restricted to 10.3.0.0/23 (subnets 10.3.0.x and 10.3.1.x) or at least class A = 10.0.0.0/8 (subnets 10.*)).
0
 

Author Comment

by:Chomps
ID: 39197982
Thank you for all of the information, however, I am still not sure what to do about this situation.  Is the problem with my router or my ISP?

My outgoing router logs show that both of my internal computers have tried to contact the IP's that I have mentioned:

10.3.0.100  Ports 9000 and 137
10.3.0.165  Ports 9000 and 137
10.3.0.209  Ports 9000 and 137
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 39198141
It is your ISP's issue. If you are not interested in 10.3.x traffic (and I am sure you are not), you should not receive any. The ISP's gateway router should not broadcast that traffic to your router.
On the other hand, usually it is much easier to block multicasts and unwanted traffic at your own router. That you are able to receive that traffic is caused because you have a non-secured setup - your router should be isolated from the transfer network, and only receive "interesting" traffic (that is responses to requests from your location). That setup requires that your own router does all security filtering.

Having said that. I'm not clear about why you get traffic for different networks if your router applies NAT. NAT prohibits any broadcasting or multicasting with 239 IPs, unless explicitely forwarded.
0
 

Author Comment

by:Chomps
ID: 39358608
Thank you for your response and sorry about the delay in responding, however I am having difficulty in understanding your response.  I will give you full credit for the solution.

I am still not clear on why my internal computers would be trying to contact sockets on the network my ISP controls.  Are you saying that it is an incorrect configuration with my ISP's gateway router?  What sort of settings should they change?

Also you mentioned a non-secured setup with my router.  What should I look for and what should be changed?  I have the default settings, however, it is about a 6 year old Linksys.   Are you saying that my router should prevent my internal 192.168.14....computers from trying to contact the 10.3.0... \9000 and 137 ports?

Additionally what services would be running on my internal computers that are trying to connect to the 10.3.0..... sockets on my ISP's network?

Thanks again for your assistance.
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 39363265
As said, those packets you receive are service notifications. If you call out on the street you have free newspaper, some people will have a look at it, wont't they? This is the same; someone is saying there is a service, and some of your devices want to get more information about it.

Yes, this is a misconfiguration, unless it is intended - and I don't think so. Service notifications can be used to tell e.g. there is a Windows Media Server available, presenting multimedia stuff for streaming.

You need to tell your ISP they should NOT allow multicasts (239.*) to get thru the router/firewall.
0

Featured Post

The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question