Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Odd Route to 1.1.1.1

Odd Route to 1.1.1.1 9 years 6 months ago #28381

  • ZiPPy
  • ZiPPy's Avatar Topic Author
  • Offline
  • Expert Member
  • Expert Member
  • Posts: 500
  • Thank you received: 0
I'm finding a very odd log on my firewall from a source address to a destination address.

The source address: internal 192.168.1.36
Source Port: 4736, 4740, 4748, 4764, 4768, 4772, 4776, 4784, 4788, 4762, 4796
Destination address: 1.1.1.1
Destination port: 80

I have anywhere from 30 to 50 connections, sometimes even more with the 192.168.1.36 address.

I'm confused on why its routing to a 1.1.1.1 address. Isn't this usually for a gateway? We don't have a gateway 1.1.1.1 on the network, I don't think we have anything with a 1.1.1.1 address.

Am I missing something here?


Cheers,

ZiPPy

Please Log in to join the conversation.

ZiPPy

Re: Odd Route to 1.1.1.1 9 years 6 months ago #28406

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1577
  • Karma: 3
  • Thank you received: 7
For 30 to 50 connections I would'nt say it's a DoS attack. Not really sure, but are some of your PCs using PointCast. Here is why I'm asking: seclists.org/bugtraq/1998/Nov/0008.html

Try switching off the PC that has the IP 192.168.1.36 and see if the same log comes again. If you don't know were is this PC, you can find out the MAC address and hopefully the name of the PC like this:

[code:1]nbtstat -A 192.168.1.36 [/code:1]

This should work if the PC is not firewalled and uses Windows.

Please Log in to join the conversation.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx

Re: Odd Route to 1.1.1.1 9 years 6 months ago #28442

  • ZiPPy
  • ZiPPy's Avatar Topic Author
  • Offline
  • Expert Member
  • Expert Member
  • Posts: 500
  • Thank you received: 0
Hi S0lo,

None of our machines here at the office are using PointCast. I've been doing a little research and have been advised that this might be some sort of worm. Most of the sources say the threat is very low, nevertheless its still resides on our network.

Possibility:
www.symantec.com/security_response/write...-3934-99&tabid=2

If I pump up the settings on the users software firewall/web filter the 1.1.1.1 logs do stop. But I can't really do that as the user can't do her work.

So, I'm still investigating

ZiPPy

Please Log in to join the conversation.

ZiPPy

Re: Odd Route to 1.1.1.1 9 years 6 months ago #28443

  • ZiPPy
  • ZiPPy's Avatar Topic Author
  • Offline
  • Expert Member
  • Expert Member
  • Posts: 500
  • Thank you received: 0
Now I'm starting to see routes to address 255.255.255.255 Source port: 67 and Destination port: 68

I see this for various IP addresses of users on the floor. What concerns me is that one of the routes for 255.255.255.255 is coming from our primary DNS server.

Is this related to my original issue with the 1.1.1.1 route?


Cheers,

ZiPPy

Please Log in to join the conversation.

ZiPPy

Re: Odd Route to 1.1.1.1 9 years 6 months ago #28444

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1577
  • Karma: 3
  • Thank you received: 7

Is this related to my original issue with the 1.1.1.1 route?


I don't think so, 255.255.255.255 is a broadcast address that is used by some services like RIP advertisements or DHCP (BOOTP) broadcasts. Ports 67 and 68 are used by DHCP, your DNS server is probably also your DHCP server. Or is it not?.

More info: en.wikipedia.org/wiki/Dynamic_Host_Confi...l#DHCP_and_firewalls

Please Log in to join the conversation.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
  • Page:
  • 1
Time to create page: 0.143 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup