Who/what is 10.137.7.254 ?

Lee · 11-10-2004, 16:49

I'm having a few probs with my router rebooting itself. Its a buffalo Airstation wireless router (although I am connected via ethernet at the mo).

Its only started happening recently, so am trying to narrow down possibilities as to whats causing it.

If I look the the router logs, there are thousands of blocked connections which read like this:

2004/10/10 16:45:33 FIREWALL UDP connection denied from 10.137.7.254:67 to 255.255.255.255:68 (eth1)
2004/10/10 16:45:33 FIREWALL UDP connection denied from 10.137.7.254:67 to 255.255.255.255:68 (eth1)
2004/10/10 16:43:58 FIREWALL UDP connection denied from 10.137.7.254:67 to 255.255.255.255:68 (eth1)
2004/10/10 16:43:58 FIREWALL UDP connection denied from 10.137.7.254:67 to 255.255.255.255:68 (eth1)

Can anyone explain what they are? The ip is the first hop away from my pc, so I'm guessing its the UBR?

Is there any chance that this could be causing my router to reboot?

Aragorn · 11-10-2004, 17:12

Lee,

UDP port 68 is the bootp port, so it's 'possible' that someone has attached a pc to your local UBR thats trying to find a bootp server. (Could happen if a hard drive has failed and the PC is allowed to boot on lan)

There was an old virus/worm that used UDP 68 (see http://www.us-cert.gov/current/services_ports.html) but i would think it's unlikely to be this.

I doubt whether this would cause the router to fail, but you could check with Buffalo's knowledge base to see if there are problems with bootp.

HTH

nffc · 11-10-2004, 17:15

begins with a 10, it's something on your lan, or something on the lan your router's connected to.

pirret · 11-10-2004, 17:16

Hi Lee this is what I have found for you if your interested

Whois Results For 10.137.7.254 Started
11 October 2004 05:10:24 PM :Whois results...:
[whois.apnic.net node-2]
Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

11 October 2004 05:10:24 PM :Whois results...:
inetnum: 0.0.0.0 - 255.255.255.255
netname: IANA-BLOCK
descr: General placeholder reference for all IPv4 addresses
remarks: ------------------------------------------------------
remarks:
remarks: Important:
remarks:
remarks: This registration object does not contain
remarks: specific registration details.
remarks:
remarks: This registration object is used only as a
remarks: general placeholder for all IPv4 addresses
remarks: and may include:
remarks:
remarks: - reserved address ranges
remarks: - private use ranges
remarks: - multicast ranges
remarks: - address ranges administered by RIRs (Regional
remarks: Internet Registries)
remarks:
remarks: If your query does not return an address range
remarks: more specific than 0.0.0.0 - 255.255.255.255, it
remarks: means the address is not administered by any RIR.
remarks: For more specific information on the use of this
remarks: IPv4 address space, see the Internet Assigned
remarks: Numbers Authority (IANA) website at:
remarks:
remarks: http://www.iana.org
remarks:
remarks: ------------------------------------------------------
country: AU
admin-c: IANA1-AP
tech-c: I
11 October 2004 05:10:24 PM :Whois results...:
ANA1-AP
mnt-by: MAINT-APNIC-AP
mnt-lower: MAINT-APNIC-AP
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20030403
changed: hm-changed@apnic.net 20040928
changed: hm-changed@apnic.net 20040928
source: APNIC
role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
e-mail: nobody@apnic.net
admin-c: IANA1-AP
tech-c: IANA1-AP
nic-hdl: IANA1-AP
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: MAINT-APNIC-AP
changed: nobody@apnic.net 20020530
source: APNIC

11 October 2004 05:10:25 PM :Whois results...:
This is the RIPE Whois secondary server.
The objects are in RPSL format.
Rights restricted by copyright.
See http://www.ripe.net/db/copyright.html

11 October 2004 05:10:25 PM :Whois results...:
inetnum: 10.0.0.0 - 10.255.255.255
netname: IANA-ABLK-RESERVED1
descr: Class A address space for private internets
descr: See http://www.ripe.net/db/rfc1918.html for details
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: RFC1918-RIPE
tech-c: RFC1918-RIPE
status: ALLOCATED UNSPECIFIED
remarks: Country is really worldwide
remarks: This network should never be routed outside an enterprise
remarks: See RFC1918 for further information
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
changed: rfc1918@ripe.net 20020129
changed: hostmaster@ripe.net 20031014
changed: ripe-dbm@ripe.net 20040422
source: RIPE
11 October 2004 05:10:25 PM :Whois results...:
organisation: ORG-IANA1-RIPE
org-name: Internet Assigned Numbers Authority
org-type: IANA
address: see http://www.iana.org
remarks: The IANA allocates IP addresses and AS number blocks to RIRs
remarks: see http://www.iana.org/ipaddress/ip-addresses.htm
remarks: and http://www.iana.org/assignments/as-numbers
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: bitbucket@ripe.net 20040417
source: RIPE
role: RFC1918 Role
address: Singel 258
address: 1016 AB Amsterdam
address: The Netherlands
e-mail: rfc1918@ripe.net
trouble: See http://www.ripe.net/db/rfc1918.html
admin-c: RFC1918-RIPE
tech-c: RFC1918-RIPE
nic-hdl: RFC1918-RIPE
mnt-by: RFC1918-MNT
changed: rfc1918@ripe.net 20020121
changed: rfc1918@ripe.net 20021218
source: RIPE

11 October 2004 05:10:26 PM :Whois results...:
No entries found for the selected source(s).
11 October 2004 05:10:30 PM :Whois results...:
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated: 2002-09-12
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
# ARIN WHOIS database, last updated 2004-10-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
11 October 2004 05:10:30 PM :Whois Results For 10.137.7.254 Completed
11 October 2004 05:10:43 PM :
Traceroute Started
11 October 2004 05:10:43 PM :Tracing route to 10.137.7.254
11 October 2004 05:12:11 PM :
Trace Route to Long.
11 October 2004 05:12:11 PM :Traceroute Complete

**Graham M** · 11-10-2004, 17:22

beginning with a 10, it would have to be something local.

C:\Documents and Settings\Graham>tracert www.cableforum.co.uk
Tracing route to cableforum.co.uk [66.199.235.18]
over a maximum of 30 hops:
1 10 ms 1 ms <1 ms 192.168.2.1 MY ROUTER
2 12 ms 10 ms 26 ms 10.115.64.1 UBR?
3 10 ms 15 ms 21 ms pool-t2cam1-a-ge93.inet.ntl.com [80.5.168.5]
4 11 ms 10 ms 13 ms sot3-t2core-a-pos71.inet.ntl.com [80.4.225.9]
5 11 ms 9 ms 12 ms win-bb-a-so-020-0.inet.ntl.com [62.253.185.49]
6 14 ms 15 ms 11 ms gfd-bb-b-so-500-0.inet.ntl.com [213.105.172.130]
7 15 ms 22 ms 12 ms tele-ic-2-so-100-0.inet.ntl.com [62.253.185.74]
8 12 ms 15 ms 12 ms linx.ge-0-0-0.gbr1.ltn.nac.net [195.66.224.94]
9 80 ms 80 ms 90 ms 0.ge-6-2-0.gbr2.nyc.nac.net [209.123.11.181]
10 91 ms 232 ms 138 ms 94.gi4-2.esd1.nyc.nac.net [64.21.102.14]
11 83 ms 82 ms 84 ms 10.gi1-1.esd1.tlw.nac.net [209.123.11.230]
12 93 ms 87 ms 90 ms ezzi-2.customer.tlw.nac.net [207.99.110.174]
13 91 ms 90 ms 90 ms 65.125.239.146
14 99 ms 101 ms 91 ms phoenix.cableforum.co.uk [66.199.235.18]
Trace complete.

Fractal Helix · 11-10-2004, 18:08

I tried to telnet to it and got what looks like a Cisco login screen though I can't be 100% sure. Does NTL use a lot of Cisco equipment - I would imagine they do?

Obviously it's got to be internal with it being a private address as others have said already.

It only has UDP ports 69 and 123 open, TFTP and NTP respectively and can't check TCP ports as it's name doesn't resolve to anything.

Don't know how much this helps matters but I'd hazard a guess at it being a router...a Cisco router.....

SMHarman · 11-10-2004, 19:02

The UBRs are Cisco equipment. So it looks like it is your UBR.

Jez · 11-10-2004, 19:25

It *is* the UBR - see the thread triggered by my similar query a while back: http://www.cableforum.co.uk/board/sh...ad.php?t=18194

My router was reporting DOS warnings triggered by the UBR - the advice was to configure the firewall to let these through, but since my router's firewall won't let me do this (Belkin), the upshot was as long as things were working OK it was alright to ignore the false alarms being triggered ...

BBKing · 11-10-2004, 19:30

Definitely your UBR, on one of its private IPs.

Lee · 11-10-2004, 20:32

Thanks for all of the replies.

So not likely to cause any problems then?

Ignition · 11-10-2004, 22:03

Quote:

Originally Posted by pirret

Hi Lee this is what I have found for you if your interested

Ugh!

For reference the following IP ranges are private IP ranges therefore owned by no-one and doing a whois on them won't yield anything usable:

10.0.0.0 - 10.255.255.255 - 10.0.0.0 / 8 or 10.0.0.0 mask 255.0.0.0
172.16.0.0 - 172.31.255.255 - 172.16.0.0 / 12 or 172.16.0.0 mask 255.240.0.0
192.168.0.0 - 192.168.255.255 - 192.168.0.0 / 16 or 192.168.0.0 mask 255.255.0.0

Hope that helps for future reference and saves any more whois action on those babies.

Matth · 11-10-2004, 23:48

It's DHCP broadcasts - what DOES matter, is that the router DOES take them when it needs to (when it has no address at startup).