Beginner's Question

I have Win XP SP2 and use Sygate Personal Firewall Pro, SpyCleaner
Gold, Norton 2004, and SpyWatcher.

I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
which Whois says is the Internet Authority for Assigned Numbers.
According to the traffic log, IANA is constantly trying to UDP my
computer.

I have two questiong. Why is IANA doing this? And should I continue
to block it?

Needless to say I am a clueless newbie. TIA for any advise/info.

Noaccount

On Wed, 21 Sep 2005 00:47:38 -0500, Noaccount <>
wrote:

>I have Win XP SP2 and use Sygate Personal Firewall Pro, SpyCleaner
>Gold, Norton 2004, and SpyWatcher.
>
>I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
>which Whois says is the Internet Authority for Assigned Numbers.
>According to the traffic log, IANA is constantly trying to UDP my
>computer.
>
>I have two questiong. Why is IANA doing this? And should I continue
>to block it?
>
>Needless to say I am a clueless newbie. TIA for any advise/info.

IANA is in charge of allocating groups of IP numbers and the block
10.0.0.0 .. 10.255.255.255 is allocated to user networks. Its non
routable so that address is probably in use by something you have
or if you are on a cable connection using that address block
some other user of the service.

So look closer to home for the source
--
Jim Watt
http://www.gibnet.com

Jim Watt

Jim Watt wrote:
> On Wed, 21 Sep 2005 00:47:38 -0500, Noaccount <>
> wrote:
>
>
>>I have Win XP SP2 and use Sygate Personal Firewall Pro, SpyCleaner
>>Gold, Norton 2004, and SpyWatcher.
>>
>>I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
>>which Whois says is the Internet Authority for Assigned Numbers.
>>According to the traffic log, IANA is constantly trying to UDP my
>>computer.
>>
>>I have two questiong. Why is IANA doing this? And should I continue
>>to block it?
>>
>>Needless to say I am a clueless newbie. TIA for any advise/info.
>
>
> IANA is in charge of allocating groups of IP numbers and the block
> 10.0.0.0 .. 10.255.255.255 is allocated to user networks. Its non
> routable so that address is probably in use by something you have
> or if you are on a cable connection using that address block
> some other user of the service.
>
> So look closer to home for the source
> --
> Jim Watt
> http://www.gibnet.com

Also, I fairly regularly see udp traffic with a source address of
10.x.x.x that contains the payload of the SQL-Slammer/Sapphire worm.
Does Sygate tell you what UDP port it is trying to connect to? If it's
1433 or 1434 I'm sure you can/should block it.

While ISPs should filter such non-routeable addresses, many don't
examine the source address.

Mark

Mark

In the Usenet newsgroup alt.computer.security, in article
<>, Noaccount wrote:

>I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
>which Whois says is the Internet Authority for Assigned Numbers.

Through RFC1918, IANA has allocated 10.0.0.0 - 10.255.255.255 (as well
as 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255) for
use by anyone on a LOCAL network. In your case, your ISP is using the
addresses for internal purposes. Addresses in these ranges should be
dropped when they attempt to leave the ISP. Many cable setups use
local addresses in 192.168.1.0 - 192.168.1.255 for the same reason,
and with the same restrictions - those addresses are not to leave the
LOCAL area. Your ISP _should_ be dropping packets with theses addresses
at their border (see RFC2827).

>According to the traffic log, IANA is constantly trying to UDP my
>computer.

There are 65,000 different services that can use UDP (the same as TCP),
everything from DNS (which you need) to windoze messenger spam (which you
probably don't want). You have to be more specific, and identify from/to
the "Port" number this traffic is using.

>I have two questiong. Why is IANA doing this?

They are not - it's _probably_ your ISP, though there isn't enough detail
in your post.

>And should I continue to block it?

Is your connection to the Internet working? If no, then maybe you shouldn't
be blocking the UDP. If yes, the packets are not needed, and can be blocked
without further thought.

>Needless to say I am a clueless newbie. TIA for any advise/info.

The logging of blocked packets is generally a waste of CPU cycles and disk
space. Most of these personal firewalls delight in telling the user that
some host in Korea or Kenya attempted to connect to a trojan that they don't
have installed. Your firewall blocked it - end of story. If you are having
problems with the Internet, _then_ you should turn on logging and observe.
For the rest of the time - turn it off, and ignore.

Old guy

Moe Trin

If the user has a router in his house, could the 10.x.x.x traffic be
coming from it?



Moe Trin wrote:
> In the Usenet newsgroup alt.computer.security, in article
> <>, Noaccount wrote:
>
>
>>I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
>>which Whois says is the Internet Authority for Assigned Numbers.
>
>
> Through RFC1918, IANA has allocated 10.0.0.0 - 10.255.255.255 (as well
> as 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255) for
> use by anyone on a LOCAL network. In your case, your ISP is using the
> addresses for internal purposes. Addresses in these ranges should be
> dropped when they attempt to leave the ISP. Many cable setups use
> local addresses in 192.168.1.0 - 192.168.1.255 for the same reason,
> and with the same restrictions - those addresses are not to leave the
> LOCAL area. Your ISP _should_ be dropping packets with theses addresses
> at their border (see RFC2827).
>
>
>>According to the traffic log, IANA is constantly trying to UDP my
>>computer.
>
>
> There are 65,000 different services that can use UDP (the same as TCP),
> everything from DNS (which you need) to windoze messenger spam (which you
> probably don't want). You have to be more specific, and identify from/to
> the "Port" number this traffic is using.
>
>
>>I have two questiong. Why is IANA doing this?
>
>
> They are not - it's _probably_ your ISP, though there isn't enough detail
> in your post.
>
>
>>And should I continue to block it?
>
>
> Is your connection to the Internet working? If no, then maybe you shouldn't
> be blocking the UDP. If yes, the packets are not needed, and can be blocked
> without further thought.
>
>
>>Needless to say I am a clueless newbie. TIA for any advise/info.
>
>
> The logging of blocked packets is generally a waste of CPU cycles and disk
> space. Most of these personal firewalls delight in telling the user that
> some host in Korea or Kenya attempted to connect to a trojan that they don't
> have installed. Your firewall blocked it - end of story. If you are having
> problems with the Internet, _then_ you should turn on logging and observe.
> For the rest of the time - turn it off, and ignore.
>
> Old guy

Foggy

On Wed, 21 Sep 2005 00:47:38 -0500, Noaccount <>
wrote:

>I have Win XP SP2 and use Sygate Personal Firewall Pro, SpyCleaner
>Gold, Norton 2004, and SpyWatcher.
>
>I have noticed that Sygate keeps blocking incoming UPD fron 10.96.64.1
>which Whois says is the Internet Authority for Assigned Numbers.
>According to the traffic log, IANA is constantly trying to UDP my
>computer.
>
>I have two questiong. Why is IANA doing this? And should I continue
>to block it?
>
>Needless to say I am a clueless newbie. TIA for any advise/info.

Thank you all for the replys.

I am not on a router.
I have a direct cable connection
I am not having any trouble connecting or surfing the internet
I regularly go to Shields Up and it always says that I am in
"Stealth Mode" and that my first 1056 ports do not respond to their
probe. Is this OK?

My AV and SpyCleaner, Spy Bot etc say that I have no bugs so maybe I
am OK ???

Again, Thank You

Noaccount

In the Usenet newsgroup alt.computer.security, in article
<iTkYe.94748$>, Foggy wrote:

>If the user has a router in his house, could the 10.x.x.x traffic be
>coming from it?

Sure, but I'm not aware of to many routers that use 10.x.x.x. mainly
because that address range is often used by ISPs. Most routers and
modems use 192.168.x.y/24 just for that reason. The 172.16.0.0/12
range is also available, but is rarely used. Funny, but one of my
dialin ISPs uses 192.168.19x.x/23 (not a typo) for the terminal
servers (the boxes you dial into), and 172.16.16.x/24 for the
customer accessible DNS and mail services. No idea why they
chose 172.16 but it might have been a network mask compatibility
problem.

Were this the O/P's own home network, you'd think he'd be aware of the
local use of 10.x.x.x, and wouldn't be asking about it.

Old guy

Moe Trin

Noaccount wrote:

> I regularly go to Shields Up and it always says that I am in
> "Stealth Mode" and that my first 1056 ports do not respond to their
> probe. Is this OK?


This is desired so long as you are not running an Internet server. I
suspect though this is being done at your ISP firewall. You should
ensure that you have your firewall set to block inbound ports below 1024
at your home network perimeter to prevent other individuals on your
cable companies network from exploiting your system. I am not sure why
your blocked to 1056 though. Insights anyone?

Winged

Winged

On Wed, 21 Sep 2005 19:29:26 -0500,
(Moe Trin) wrote:

>Sure, but I'm not aware of to many routers that use 10.x.x.x.

Those using the connexant chip set do, but their default is
10.0.0.2
--
Jim Watt
http://www.gibnet.com

Jim Watt

On Wed, 21 Sep 2005 22:21:01 -0500, Winged <>
wrote:

>Noaccount wrote:
>
>> I regularly go to Shields Up and it always says that I am in
>> "Stealth Mode" and that my first 1056 ports do not respond to their
>> probe. Is this OK?
>
>
>This is desired so long as you are not running an Internet server. I
>suspect though this is being done at your ISP firewall. You should
>ensure that you have your firewall set to block inbound ports below 1024
>at your home network perimeter to prevent other individuals on your
>cable companies network from exploiting your system. I am not sure why
>your blocked to 1056 though. Insights anyone?

What would be useful would be to do

start>run>cmd

then run ipconfig

and post the results you get

As its a cable system chances are the IP range is 10.x.x.x and
the 'intruder' is most likely an innocent device on the network
or perhaps someone trying to be intrusive, either way if ZA is
blocking it, no need to worry.

--
Jim Watt
http://www.gibnet.com

Jim Watt