Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Odd Route to 1.1.1.1

Odd Route to 1.1.1.1 8 years 5 days ago #28381

  • ZiPPy
  • ZiPPy's Avatar
  • Offline
  • Expert Member
  • Posts: 500
  • Karma: 0
I'm finding a very odd log on my firewall from a source address to a destination address.

The source address: internal 192.168.1.36
Source Port: 4736, 4740, 4748, 4764, 4768, 4772, 4776, 4784, 4788, 4762, 4796
Destination address: 1.1.1.1
Destination port: 80

I have anywhere from 30 to 50 connections, sometimes even more with the 192.168.1.36 address.

I'm confused on why its routing to a 1.1.1.1 address. Isn't this usually for a gateway? We don't have a gateway 1.1.1.1 on the network, I don't think we have anything with a 1.1.1.1 address.

Am I missing something here?


Cheers,

ZiPPy
ZiPPy
The administrator has disabled public write access.

Re: Odd Route to 1.1.1.1 8 years 3 days ago #28406

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
For 30 to 50 connections I would'nt say it's a DoS attack. Not really sure, but are some of your PCs using PointCast. Here is why I'm asking: seclists.org/bugtraq/1998/Nov/0008.html

Try switching off the PC that has the IP 192.168.1.36 and see if the same log comes again. If you don't know were is this PC, you can find out the MAC address and hopefully the name of the PC like this:

[code:1]nbtstat -A 192.168.1.36 [/code:1]

This should work if the PC is not firewalled and uses Windows.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Odd Route to 1.1.1.1 7 years 11 months ago #28442

  • ZiPPy
  • ZiPPy's Avatar
  • Offline
  • Expert Member
  • Posts: 500
  • Karma: 0
Hi S0lo,

None of our machines here at the office are using PointCast. I've been doing a little research and have been advised that this might be some sort of worm. Most of the sources say the threat is very low, nevertheless its still resides on our network.

Possibility:
www.symantec.com/security_response/write...-3934-99&tabid=2

If I pump up the settings on the users software firewall/web filter the 1.1.1.1 logs do stop. But I can't really do that as the user can't do her work.

So, I'm still investigating

ZiPPy
ZiPPy
The administrator has disabled public write access.

Re: Odd Route to 1.1.1.1 7 years 11 months ago #28443

  • ZiPPy
  • ZiPPy's Avatar
  • Offline
  • Expert Member
  • Posts: 500
  • Karma: 0
Now I'm starting to see routes to address 255.255.255.255 Source port: 67 and Destination port: 68

I see this for various IP addresses of users on the floor. What concerns me is that one of the routes for 255.255.255.255 is coming from our primary DNS server.

Is this related to my original issue with the 1.1.1.1 route?


Cheers,

ZiPPy
ZiPPy
The administrator has disabled public write access.

Re: Odd Route to 1.1.1.1 7 years 11 months ago #28444

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Is this related to my original issue with the 1.1.1.1 route?

I don't think so, 255.255.255.255 is a broadcast address that is used by some services like RIP advertisements or DHCP (BOOTP) broadcasts. Ports 67 and 68 are used by DHCP, your DNS server is probably also your DHCP server. Or is it not?.

More info: en.wikipedia.org/wiki/Dynamic_Host_Confi...l#DHCP_and_firewalls
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.
Time to create page: 0.080 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup