New Life Games Tech Forums

NLG Members who host their own Repair Logs of Various Games. => RickHunters Computer Help 101 => Topic started by: SAT (aka GANDHI) on September 30, 2008, 08:19:24 PM



Title: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:19:24 PM
My traffic log shows a constant polling from this address 10.217.224.1 - my ISP can supply no info - the trace goes nowhere - yet I am getting  polled every 5 secs - this has been going on for months. Google shows me nothing- my firewall does block it - but still would like to know what is going on. thanks.


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:19:40 PM
My traffic log shows a constant polling from this address 10.217.224.1 - my ISP can supply no info - the trace goes nowhere - yet I am getting  polled every 5 secs - this has been going on for months. Google shows me nothing- my firewall does block it - but still would like to know what is going on. thanks.


Your WHOIS Search Results
10.217.224.1
Record Type:   IP Address

 
OrgName:    Internet Assigned Numbers Authority
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US

NetRange:   10.0.0.0 - 10.255.255.255
CIDR:       10.0.0.0/8
NetName:    RESERVED-10
NetHandle:  NET-10-0-0-0-1
Parent:     
NetType:    IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 1918 for additional information:
Comment:    http://www.arin.net/reference/rfc/rfc1918.txt
RegDate:   
Updated:    2007-11-27

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   Internet Corporation for Assigned Names and Number
OrgAbusePhone:  +1-310-301-5820
OrgAbuseEmail:  abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   Internet Corporation for Assigned Names and Number
OrgTechPhone:  +1-310-301-5820
OrgTechEmail:  abuse@iana.org
 
 



Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:19:53 PM
Since it is supposed to be IANA reserved (anything w/ a 10 in the first Octal is a private network not to be issued to the general public)  It is more than likely someone acidently or purposfully hitting your network.  Small posibility that your provider is using that address for a router; it should not be originating traffic though.  You can either write to the abuse e-mail since that traffic should not see the light of day or call your provider to stop it further up.  All that being said; if your router firewall is catching it it should not be a big deal

http://en.wikipedia.org/wiki/Private_network (http://en.wikipedia.org/wiki/Private_network)

If you want to go really crazy you can read what they are sending you with a packet sniffer program. (Ethereal Network Analyzer or something like that)

- Brian



Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:20:08 PM
Google "BLACKHOLE-1.IANA.ORG" and get more confused.  :89- :25- :5-



Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:20:28 PM
I emailed and called and the answer was - basically none of my business. My firewall does not classify this one as a threat - and I do called polled by other ips as well - but this one every 5 secs does seem a bit strange. Thanks again.


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:21:33 PM
Quote from: IANA Abuse FAQ
Q5: How busy are the blackhole servers?

A5: While rates vary, the blackhole servers generally answer thousands of queries per second. In the past couple of years the number of queries to the blackhole servers has increased dramatically. It is believed that the large majority of those queries occur because of "leakage" from intranets that are using the RFC 1918 private addresses. This can happen if the private intranet is internally using services that automatically do reverse queries, and the local DNS resolver needs to go outside the intranet to resolve these names. For well-configured intranets, this shouldn't happen. Users of private address space should have their local DNS configured to provide responses to inverse lookups in the private address space.

Did you call IANA or your ISP?

I suppose that if you are inside your ISP's firewall it might be allowed if the activity is being produced by the ISP, but then again, it might not. Even if it is your ISP's activity it doesn't seem to be best practice to hit their customers' assigned IPs every 5 seconds.

If you did not contact your ISP I would try that if you would still like to resolve the mystery/problem. They might have an internal issue that they are unaware of and that needs resolving.


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:21:57 PM
I called and emailed my ISP and emailed the IANA abuse line - noone had an answer nor would take anytime to resolve. The only "hit" I found using google was some website (foreign) that had this IP address inbedded in some other issues obut did not mention it in conjunction with the issue they were discussing. I guess BLACKHOLE is just the way it is. No Harm - no Foul at this point.  Maybe most people don't look at their activity logs to see what their computer is up to.


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:22:09 PM
You are being scanned.  The 10.x.x.x addresses are white papered to never be released as public addresses and are thus used for internal networks only (like the 192.168.x.x that all routers like to use).  If your log shows the IP as 10.x.x.x that means the person is purposely trying to hide his identity by spoofing his address.  Do you have a wireless network?  Has it been compromised before?


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:22:35 PM
have not been hacked - I have had viruses along time ago when they becoame a daily occurance. I have changed ISPs in the past 2 months - so this would not apply as my address would have changed.


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:22:53 PM
Do you have more than 1 computer on your local network?  It's been my experience that the polling activity comes from a bot that is advertising.  I'm just curious if you have more than 1 machine, maybe you should shut down the machine you use normally for a few days and only use the secondary one to see if the polling stops.  Do you have a static IP?


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:23:11 PM
sorry - just the one machine - used to have DSL - now Road Runner. Never was on any network. Really strange for a hacker to be that persistant - 24/7 every 5 secs.


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:24:16 PM
Is roadrunner cable?  If so, that might be why you are being targeted. 


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:24:30 PM
Is roadrunner cable?  If so, that might be why you are being targeted. 

Why is that Rick?

I also have roadrunner so I'm interested.


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:24:52 PM
Cable service is shared amongst the subscribers in your immediate neighborhood.  Since it's pretty much a splitted signal, someone can just snoop his cable line for other traffic to see what is going on.  I can put a computer running a sniffer program to monitor network activity for everyone who has cable service and who shares the cable signal with me.  Unlike DSL, where there's a unique line that goes all the way to the central office, cable internet has one long and very thick cable to a distribution center for your neighborhood which then is split up to the individual boxes that typically serve a group of homes.  It's the run between your house and your neighborhood distribution center that is shared amongst all of your neighbors.  Does this make sense to you?  There's nothing "wrong" with the setup, it's just the nature of the beast.  It is specially important for people in Cable lines to make sure that anytime you put Soc Sec #'s, Credit Cards and any other private info, that whichever way you send the information, it's encrypted be it SSL or any other strong encryption method.  If you have a bad apple sharing your cable line, he can just have a computer monitoring traffic and thus filtering info for things that look like CC #'s, bank accounts, etc.  Not very nice at all.

foxslots, does your router/firewall report what ports are being polled for activity?


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:25:20 PM
If you get headaches easiliy from reading techie stuff then stop now.

OK... you've been warned!

If you are ever bored or battling insomnia Google for RFC 1918. The RFC is a "Request for Comments" and #1918 discusses private reserved IP addresses.

IP Addresses in the 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255 ranges are privately allocated addresses. These are not routable on the internet.

Now your big ISPs will use them on the customer side then have a huge proxy server or other device to translate those private addresses they give you into publicly routable addresses. What you are seeing is either some other subscriber on the cable network OR a machine owned by the cable network company. Yes, it is probably an infected machine trying to connect to your PC.

If you are seeing ICMP traffic (also known as 'ping' traffic) to your PC and your PC's firewall is set to not respond then that's all you'll see. If your PC responds to the ping then you'll usually see another connection attempt to your PC on a common communications port (80 for www, 21 for ftp, 135-139 for Windows old style authentication, 445 for Windows authentication, etc...) in an attempt to hijack your machine.

That is what bots do. They scan for other machines to exploit and infect.

How do they do this? By taking advantage of a security hole in your machine. You ever hear of a 'buffer overflow'? This is an easy way to break into a machine.

Wait. I have a firewall. OH? Big deal if it's a software firewall. They have bugs that can be exploited too. Oh, and your machine could still be exploited by a bot even if you have a software firewall. This is why hardware firewalls are much better to have.

Any connection to the internet will get hit by these bot scans. If you have broadband then you'll just get hit faster and more often. Patch your machine's OS, patch the applications, and put a hardware firewall up. With the hardware firewall up your PC will not even see that scanning traffic anymore. That hardware firewall will simply block it and save the precious CPU cycles on your PC. ;)

RJ


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:26:30 PM
the port local 68 - the protocol is UDP. Roadrunner is Cable.  I do get THREATS caught by my firewall on RARE occasions - do not understand or want to know what the differences are - all I know is I am getting EXTREME activity from one source.
other IP trying to access
59.63.25.161   another IANA
222.151.2.46   ditto
221.208.208.97 ditto
202.97.238.202  ditto
  When you do a backtrace - does that signal go back to the originator? do they get a hit on their logs?


Title: Re: IP address 10.217.224.1
Post by: SAT (aka GANDHI) on September 30, 2008, 08:27:07 PM
port 68 is dhcp client request.  These are machines looking to get an ip address from a server.  I would think that would be "normal" activity on a cable network, as I'm sure people's computers are asking for IP's as they turn them on.