Portscan from reserved IP

Discussion in 'Computer Support' started by Dan, Mar 8, 2006.

  1. Dan

    Dan Guest

    mkay, here we go

    I have just received the 4th alert from norton firewall about a portscan
    from a "reserved IP address".

    I only know it's reserved because I entered the IP lookup into
    http://internetfrog.com/myinternet/dnslookup/index.asp

    IP address is 213.230.230.234, the last tracert i did yesterday came up with
    nothing.

    Anyone have a clue what's going on here? I'm sure don't.

    This doesn't really concern me a great deal i'm just really really curious
    as to why an apperently reserved (non-existent) computer is port scanning
    me.

    Point of note, ports scanned are : 1034, 1026, 1031

    any advice of info appreciated.

    Cheers.

    Dan
     
    Dan, Mar 8, 2006
    #1
    1. Advertisements

  2. Dan

    Trax Guest

    |>mkay, here we go
    |>
    |>I have just received the 4th alert from norton firewall about a portscan
    |>from a "reserved IP address".
    |>
    |>I only know it's reserved because I entered the IP lookup into
    |>http://internetfrog.com/myinternet/dnslookup/index.asp
    |>
    |>IP address is 213.230.230.234, the last tracert i did yesterday came up with
    |>nothing.
    |>

    Call him and ask:
    person: Phillip Baker
    remarks: Please do not contact me directly for abuse
    remarks: issues - instead please use
    abuse-mailbox: *****@lchost.net
    address: Low Cost Host Ltd
    address: PO Box 11
    address: Brighouse
    address: West Yorkshire
    address: HD6 1NH
    address: United Kingdom
    e-mail: ****@lchost.co.uk
    phone: +44 (0)7793 228080

    http://www.dnsstuff.com/tools/whois.ch?ip=213.230.230.234
    |
    |>This doesn't really concern me a great deal i'm just really really curious
    |>as to why an apperently reserved (non-existent) computer is port scanning
    |>me.
    |>
    |>Point of note, ports scanned are : 1034, 1026, 1031
    |>
    |>any advice of info appreciated.
    |>
    |>Cheers.
    |>
    |>Dan
    |>
     
    Trax, Mar 8, 2006
    #2
    1. Advertisements

  3. Dan

    why? Guest

    How is it reserved? Looking at the info it's an assigned address, as
    Trax pointed out, the frog page, showa it's allocation to ripe, then to
    an ISP.
    That means nothing, the traceroute didn't work, it timed out on the last
    hops or what.

    A clue about what? There is contact info in the frog page and without
    any traceroute output it's not easy to guess.
    How is it non-existent, I see a trace stopping at
    9 156 ms 125 ms 79 ms 101.gi1-2.rt0.the.core.lchost.net
    [213.230.194.21]

    Mabye they just disabled the ICMP (traceroute reply messages) thus no
    reply and the traceroute times out, that doesn't mean other types of
    traffic are blocked.
    A guide to services and assigned ports
    http://www.iana.org/assignments/port-numbers

    activesync 1034/tcp ActiveSync Notifications
    cap 1026/tcp Calendar Access Protocol
    iad2 1031/tcp BBN IAD

    Although there are assigned / registered ports that doesn't stop anyone
    from using ports numbers as they wish, then the numbers / service
    doesn't matter or help in resolving the issue.

    If you try a couple of www.google.com for

    port scan 1034

    port scan 1026

    etc., you should start to see other reports / patterns of what's
    scanning you.

    However as Trax pointed out, you could report it to the ISP.
    Me
     
    why?, Mar 8, 2006
    #3
  4. Dan

    Dan Guest

    NOT 231.etc
     
    Dan, Mar 8, 2006
    #4
  5. Dan

    why? Guest

    Um... big difference, that's the multicast address range.

    http://en.wikipedia.org/wiki/Multicast_address


    www.dnsstuff.com should have an entry,

    http://www.dnsstuff.com/tools/ipall.ch?domain=225.230.230.234
    IP address: 225.230.230.234
    Reverse DNS: [No reverse DNS entry per dot.ep.net.]
    Reverse DNS authenticity: [Unknown]
    ASN: 0
    ASN Name: IANA-RSVD-0
    IP range connectivity: 0
    Registrar (per ASN): Unknown
    Country (per IP registrar): *M [[Multicast]]
    Country Currency: Unknown
    Country IP Range: 224.0.0.0 to 239.255.255.255
    Country fraud profile: Normal
    City (per outside source): Unknown
    Private (internal) IP? Yes
    IP address registrar: whois.arin.net
    Known Proxy? No


    Me
     
    why?, Mar 8, 2006
    #5
  6. Dan

    Dan Guest


    So, what does this mean?

    I'm not networked in a LAN so that's discounted, who or what is using this
    IP address?

    again, sorry for the bad info last night.

    Dan.
     
    Dan, Mar 8, 2006
    #6
  7. Dan

    why? Guest

    Multicast is used a this type of setup, a web cast of a concert. As the
    video server most likely wouldn't cope with many 1000's of connections
    the content it sent out on a special address.

    Something that listens on a multicast address would see the video and
    play it. A system that isn't listening dhould ignore it.
    The above is just the same type of info :), you are not networked on a
    LAN, but you have a network card / TCP/IP and firewall software
    monitoring so it alerted you to this address.

    So what about the direction this traffic is going?

    The norton alert was traffic from the mcast address, do you mean the
    'mcast address wasX and it's going out' or 'it's incoming from that
    address'

    If ir outgoing from your PC, doesn't NFW give the application name?
    Me
     
    why?, Mar 10, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.