PDA

View Full Version : Firewall spots continuous traffic


kenseaton
12-06-2004, 18:56
Hi

I'm using Sygate personal firewall and over the past month I've noticed that the icon is showing a virtually permanant contact with address 172.31.55.254. It back traces to blackhole-1.iana.org at IANA and ntl customer support says its just a sign of increased email traffic.
However ... I don't like something going on that I don't know about and I wondered if anyone had any clues. I'm seeing incoming traffic history registering 54-600B virtually constantly.

thanks

Ken
Glasgow

Chris W
12-06-2004, 19:02
:welcome: to the site!

I am not sure if you can do it with sygate, but can you configure the firewall to block connections to 172.31.55.254?

It sounds like some kind of spyware on the pc is trying to connect to this, run adaware (http://tinyurl.com/tek5) to clear any spware from the pc

Tricky
12-06-2004, 19:30
172.16.0.0 --> 172.31.255.255 are generally used for private networks within orgs. (172.16.x.x especially if your network was designed by BT - which is great when two companies merge!)

Have you created any VPN's back to your office or anything that might still be trying to connect out/in?
Are you running anything else that might be causing the traffic?

Paul
12-06-2004, 21:08
Hi

I'm using Sygate personal firewall and over the past month I've noticed that the icon is showing a virtually permanant contact with address 172.31.55.254. It back traces to blackhole-1.iana.org at IANA and ntl customer support says its just a sign of increased email traffic.
However ... I don't like something going on that I don't know about and I wondered if anyone had any clues. I'm seeing incoming traffic history registering 54-600B virtually constantly.

thanks

Ken
Glasgow

At a guess I would say that is probably your ubr's default gateway private address - and the traffic is genuine local broadcast packets. :) Try pinging it - if you can that would be futher evidence that this is, in fact, the explanation.

Edit : even better - do a tracert to cableforum.co.uk and see if this address is one of the first hops. :)

kenseaton
13-06-2004, 14:28
At a guess I would say that is probably your ubr's default gateway private address - and the traffic is genuine local broadcast packets. :) Try pinging it - if you can that would be futher evidence that this is, in fact, the explanation.

Edit : even better - do a tracert to cableforum.co.uk and see if this address is one of the first hops. :)



OK here's the tracert detail (below) and, as you say, the 173 address is the first hop... what I don't understand is why it's showing up on the Syquest traffic log all the time, especially as it's only been happening over the past month or so.

Ken

>>
Tracing route to cableforum.co.uk [66.199.235.18]
over a maximum of 30 hops:

1 27 ms 14 ms 14 ms 172.31.55.254
2 14 ms 27 ms <10 ms renf-t2cam1-a-v111.inet.ntl.com [80.4.64.
3 14 ms 13 ms 14 ms renf-t2core-a-ge-wan61.inet.ntl.com [62.2
57]
4 14 ms 14 ms 13 ms ren-bb-a-so-200-0.inet.ntl.com [62.253.18
5 <10 ms 13 ms 28 ms ren-bb-b-ae0-0.inet.ntl.com [62.253.185.1
6 14 ms 28 ms 13 ms man-bb-a-so-600-0.inet.ntl.com [62.253.18

7 28 ms 41 ms 28 ms ycr2-so-3-0-0.Manchester.cw.net [208.175.

8 27 ms 28 ms 27 ms bcr2-so-3-0-0.Thamesside.cw.net [166.63.2

9 96 ms 110 ms 137 ms dcr1.nyk.cw.net [195.2.1.3]
10 96 ms 110 ms 96 ms so-0-0-0-ecr1.nyk.cw.net [195.2.3.14]
11 96 ms 96 ms 96 ms nyiix.ezzi.net [198.32.160.106]
12 110 ms 96 ms 96 ms 65.125.239.41
13 110 ms 96 ms 97 ms 65.125.239.129
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * *
<<

BBKing
13-06-2004, 15:54
Firstly a bit of education. Addresses starting 172.16 to 172.31, 192.168 or 10 are *private* addresses. This means companies or individuals can use them internally but they are not reachable from outside the company. NTL use the 10 and 172.16-31 ranges for addressing your cable modem, since there's no reason why the modem itself should be accessible from outside ntl.

Thus 172.16.55.254 is a private non-routable address used on the ntl network. In fact, it's the default gateway for your cable modem and just happens to be the first address on your local UBR (the device that connects you to the Internet). Thus it is used as the source for any traffic the UBR sends to your PC, including DHCP renewals.

Robin Walker in his cable modem notes recommends allowing this IP address through the firewall. There's certainly nothing to worry about.

Matth
13-06-2004, 22:15
UDP traffic?
I see a lot of broadcast DHCP traffic from my UBR - at first, with my firewall identifying is as DHCP, I thought MY system was generating abnormal amounts of DHCP (since the rule called it OUTGOING DHCP), but showing more of the logging parameters identified it as broadcast FROM the UBR.

On startup, you broadcast a DHCP request, the UBR forwards it to the DHCP, and then broadcasts the reply - and you receive all broadcast traffic.

kenseaton
13-06-2004, 23:47
OK ... I get all that, but why is the traffic signal continuous?

And why has it only just started?

The Sygate arrows did not show the same traffic two months ago ... and a Google search shows blackhole-1 etc as a catch-all for email snafus.

Ken

kenseaton
17-06-2004, 17:44
;)Curiously, since I started this post the continuous traffic has ceased...