- Posts: 500
- Thank you received: 0
Odd Route to 1.1.1.1
15 years 11 months ago #28381
by ZiPPy
ZiPPy
Odd Route to 1.1.1.1 was created by ZiPPy
I'm finding a very odd log on my firewall from a source address to a destination address.
The source address: internal 192.168.1.36
Source Port: 4736, 4740, 4748, 4764, 4768, 4772, 4776, 4784, 4788, 4762, 4796
Destination address: 1.1.1.1
Destination port: 80
I have anywhere from 30 to 50 connections, sometimes even more with the 192.168.1.36 address.
I'm confused on why its routing to a 1.1.1.1 address. Isn't this usually for a gateway? We don't have a gateway 1.1.1.1 on the network, I don't think we have anything with a 1.1.1.1 address.
Am I missing something here?
Cheers,
ZiPPy
The source address: internal 192.168.1.36
Source Port: 4736, 4740, 4748, 4764, 4768, 4772, 4776, 4784, 4788, 4762, 4796
Destination address: 1.1.1.1
Destination port: 80
I have anywhere from 30 to 50 connections, sometimes even more with the 192.168.1.36 address.
I'm confused on why its routing to a 1.1.1.1 address. Isn't this usually for a gateway? We don't have a gateway 1.1.1.1 on the network, I don't think we have anything with a 1.1.1.1 address.
Am I missing something here?
Cheers,
ZiPPy
ZiPPy
15 years 11 months ago #28406
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Odd Route to 1.1.1.1
For 30 to 50 connections I would'nt say it's a DoS attack. Not really sure, but are some of your PCs using PointCast. Here is why I'm asking:
seclists.org/bugtraq/1998/Nov/0008.html
Try switching off the PC that has the IP 192.168.1.36 and see if the same log comes again. If you don't know were is this PC, you can find out the MAC address and hopefully the name of the PC like this:
[code:1]nbtstat -A 192.168.1.36 [/code:1]
This should work if the PC is not firewalled and uses Windows.
Try switching off the PC that has the IP 192.168.1.36 and see if the same log comes again. If you don't know were is this PC, you can find out the MAC address and hopefully the name of the PC like this:
[code:1]nbtstat -A 192.168.1.36 [/code:1]
This should work if the PC is not firewalled and uses Windows.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
15 years 11 months ago #28442
by ZiPPy
ZiPPy
Replied by ZiPPy on topic Re: Odd Route to 1.1.1.1
Hi S0lo,
None of our machines here at the office are using PointCast. I've been doing a little research and have been advised that this might be some sort of worm. Most of the sources say the threat is very low, nevertheless its still resides on our network.
Possibility:
www.symantec.com/security_response/write...-3934-99&tabid=2
If I pump up the settings on the users software firewall/web filter the 1.1.1.1 logs do stop. But I can't really do that as the user can't do her work.
So, I'm still investigating
ZiPPy
None of our machines here at the office are using PointCast. I've been doing a little research and have been advised that this might be some sort of worm. Most of the sources say the threat is very low, nevertheless its still resides on our network.
Possibility:
www.symantec.com/security_response/write...-3934-99&tabid=2
If I pump up the settings on the users software firewall/web filter the 1.1.1.1 logs do stop. But I can't really do that as the user can't do her work.
So, I'm still investigating
ZiPPy
ZiPPy
15 years 11 months ago #28443
by ZiPPy
ZiPPy
Replied by ZiPPy on topic Re: Odd Route to 1.1.1.1
Now I'm starting to see routes to address 255.255.255.255 Source port: 67 and Destination port: 68
I see this for various IP addresses of users on the floor. What concerns me is that one of the routes for 255.255.255.255 is coming from our primary DNS server.
Is this related to my original issue with the 1.1.1.1 route?
Cheers,
ZiPPy
I see this for various IP addresses of users on the floor. What concerns me is that one of the routes for 255.255.255.255 is coming from our primary DNS server.
Is this related to my original issue with the 1.1.1.1 route?
Cheers,
ZiPPy
ZiPPy
15 years 11 months ago #28444
by S0lo
I don't think so, 255.255.255.255 is a broadcast address that is used by some services like RIP advertisements or DHCP (BOOTP) broadcasts. Ports 67 and 68 are used by DHCP, your DNS server is probably also your DHCP server. Or is it not?.
More info: en.wikipedia.org/wiki/Dynamic_Host_Confi...l#DHCP_and_firewalls
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Odd Route to 1.1.1.1
Is this related to my original issue with the 1.1.1.1 route?
I don't think so, 255.255.255.255 is a broadcast address that is used by some services like RIP advertisements or DHCP (BOOTP) broadcasts. Ports 67 and 68 are used by DHCP, your DNS server is probably also your DHCP server. Or is it not?.
More info: en.wikipedia.org/wiki/Dynamic_Host_Confi...l#DHCP_and_firewalls
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.156 seconds