ICMP and port 16384 problem

Discussion in 'Network Routers' started by RobR, Jan 31, 2006.

  1. RobR

    RobR Guest

    I happened to fire up a network sniffer on my PC
    last night to try and trouble shoot a problem and
    discovered something that I'm stumped on.

    I'm seeing TONS of traffic to a port and IP
    and I don't know what's causing it. This is
    on an XP machine, so the first thing I did
    was a netstat to see what application was
    causing this (I was assuming virus at this
    point), but nothing came up. Then I ran
    TCPview from sysinternals which shows
    me all tcpip traffic in real time and the windows
    process generating it. Again nothing. Next I
    thought maybe someone is ICMPing me,
    so I checked my router to make sure the
    NAT wasn't forwarding the port to my PC,
    nope. Any ideas? Here's a piece of the
    sniffer log, there's dozens of these every
    second - I have no idea who 65.6.181.87 is:

    1 0.000000 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384
    2 0.000034 192.168.2.103 65.6.181.87 ICMP
    Destination unreachable (Port unreachable)
    3 0.029063 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384
    4 0.029098 192.168.2.103 65.6.181.87 ICMP
    Destination unreachable (Port unreachable)
    5 0.059852 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384
    6 0.059883 192.168.2.103 65.6.181.87 ICMP
    Destination unreachable (Port unreachable)
    7 0.089441 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384
    8 0.089486 192.168.2.103 65.6.181.87 ICMP
    Destination unreachable (Port unreachable)
    9 0.120482 65.6.181.87 192.168.2.103 UDP
    Source port: 16384 Destination port: 16384
     
    RobR, Jan 31, 2006
    #1
    1. Advertisements

  2. RobR

    kevincw01 Guest

    Well, i'm not sure what it is but I can tell you who it's coming from
    and who to contact to stop it:
    Reverse Lookup Results
    Host Type Value
    87.181.6.65.in-addr.arpa PTR adsl-065-006-181-087.sip.bct.bellsouth.net
    181.6.65.in-addr.arpa NS auth01.dns.bellsouth.net
    181.6.65.in-addr.arpa NS auth02.dns.bellsouth.net
    181.6.65.in-addr.arpa NS auth00.dns.bellsouth.net
    auth01.dns.bellsouth.net A 205.152.144.187
    auth02.dns.bellsouth.net A 205.152.132.187
    auth00.dns.bellsouth.net A 205.152.37.187
    IP Address Contact Information

    OrgName: BellSouth.net Inc.
    OrgID: BELL
    Address: 575 Morosgo Drive
    City: Atlanta
    StateProv: GA
    PostalCode: 30324
    Country: US

    ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

    NetRange: 65.0.0.0 - 65.15.255.255
    CIDR: 65.0.0.0/12
    NetName: BELLSNET-BLK15
    NetHandle: NET-65-0-0-0-1
    Parent: NET-65-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS.BELLSOUTH.NET
    NameServer: NS.ATL.BELLSOUTH.NET
    Comment:
    Comment: For Abuse Issues, email abuse @ bellsouth.net. NO
    ATTACHMENTS. Include IP
    Comment: address, time/date, message header, and attack logs.
    Comment: For Subpoena Request, email ipoperations @ bellsouth.net
    with "SUBPOENA" in
    Comment: the subject line. Law Enforcement Agencies ONLY, please.
    RegDate: 2003-12-29
    Updated: 2004-07-28

    RAbuseHandle: ABUSE81-ARIN
    RAbuseName: Abuse Group
    RAbusePhone: +1-404-499-5224
    RAbuseEmail: abuse @ bellsouth.net

    RTechHandle: JG726-ARIN
    RTechName: Geurin, Joe
    RTechPhone: +1-404-499-5240
    RTechEmail: ipoperations @ bellsouth.net

    OrgAbuseHandle: ABUSE81-ARIN
    OrgAbuseName: Abuse Group
    OrgAbusePhone: +1-404-499-5224
    OrgAbuseEmail: abuse @ bellsouth.net

    OrgTechHandle: JG726-ARIN
    OrgTechName: Geurin, Joe
    OrgTechPhone: +1-404-499-5240
    OrgTechEmail: ipoperations @ bellsouth.net
     
    kevincw01, Jan 31, 2006
    #2
    1. Advertisements

  3. RobR

    RobR Guest

    Thanks for all the lookup info, I guess my
    big confusion is how is this even getting to
    my PC? It should be stopped at the router
    since 16384 isn't set up to NAT to my PC.
     
    RobR, Jan 31, 2006
    #3
  4. RobR

    Jim Guest

    It looks like 65.6.181.87 is trying to reach port 16384 and the TCP/IP
    stack is replying with the ICMP packet that the port was unreachable. If
    your PC sent a UDP packet 65.6.181.87 then the NAT function in the
    router will normally forward anything coming back on that port from that
    IP address to the originating PC. There are two questions here:
    1) Why are you getting this UDP traffic in the first place?
    2) Why is the router forwarding it rather than dropping it?

    You don't indicate the type of router. Is it possible that there is a
    configuration option that is causing the router to forward all traffic
    to this particular PC? I assume you don't have this PC in the DMZ. A
    Google on that port shows lots of entries related to VoIP.
    Jim
     
    Jim, Jan 31, 2006
    #4
  5. RobR

    kevincw01 Guest

    If it were VoIP then it wouldn't be connecting to a consumer DSL
    line....unless you're using skype which uses a p2p approach to voip.
    the original questions remain however. Jim is right, unless you're in
    the DMZ(or fwding the port), your computer must have initiated the
    connection.
     
    kevincw01, Feb 1, 2006
    #5
  6. RobR

    RobR Guest

    Which was my thought, ie I was originating the traffic.
    I do have an IAX2 client on this PC and an Asterisk
    VoIP server at work, but the VoIP client wasn't
    running, and the IP address I was seeing wasn't
    related to any of my hardware at work, and the client
    uses port 5060. The utilities I used should
    also have shown if the traffic was related to an application
    on my PC (I doubled checked the processes to make
    sure there wasn't something running in the background
    I wasn't aware of).

    The IP resolved to something with SIP in the FQDN
    which also made me think VoIP. In any event, it has
    stopped, I guess it's one of those mysteries that will
    remain unsolved, at least for now but I'll keep an eye
    out during my use of VoIP.

    The router is a Linksys WRT54G running DD-WRT v22 firmware.
    There's no easy way I'm aware of to check UPnP ports on v22
    (v23 has this but has issues) but that's a possible explanation as to
    why traffic was actually making it to my PC.

    Thanks for the help, I appreciate it.
     
    RobR, Feb 1, 2006
    #6
  7. RobR

    kimi Guest

    Voip Learning and Translating Tutorial
    Voice Over IP is a new communication means that let you telephone with
    Internet at almost null cost.
    How this is possible, what systems are used, what is the standard, all
    that is covered by this Howto.


    http://www.freewebs.com/voipformula/VoIP-HOWTO.html
     
    kimi, Feb 3, 2006
    #7
  8. RobR

    RobR Guest

    Not sure why you posted that, was that supposed to be
    for my benefit?
     
    RobR, Feb 4, 2006
    #8
  9. RobR

    kevincw01 Guest

    it's probably a newsgroup spam bot. Whatever you do, don't give the
    spammer traffic by clicking on the link.
     
    kevincw01, Feb 5, 2006
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.