Iana Keep Pinging Me.... Is This Normal?

[DarkestDream]

My Sygate shut down the internet access because IANA keep pinging on me. so i am not sure what is going on. I backtrace the ip address and found out that IANA is doing this. it pinging on two apps, NT Kernel & System and NDIS User mode I/O Driver and it sending info to IANA too. so i created a advanced rule to block that ip address, it did but it still pinging on two apps. so i told the rule to dont allow those access to two apps. and it blocking it. So i ask it to make a packet log of it. amazing, it pinging on me every two min, but it blocked already. it all incoming. one outgoing from NDIS USer Mode I/O Driver.

Why IANA is doing this?

[MrBill]

My Sygate shut down the internet access because IANA keep pinging on me. so i am not sure what is going on. I backtrace the ip address and found out that IANA is doing this. it pinging on two apps, NT Kernel & System and NDIS User mode I/O Driver and it sending info to IANA too. so i created a advanced rule to block that ip address, it did but it still pinging on two apps. so i told the rule to dont allow those access to two apps. and it blocking it. So i ask it to make a packet log of it. amazing, it pinging on me every two min, but it blocked already. it all incoming. one outgoing from NDIS USer Mode I/O Driver.

Why IANA is doing this?

Internet Assigned Numbers Authority

Do you have a web page that you maintain?

IANA

[DarkestDream]

i have no web page at all

[CataclysmCow]

The IANA isn't pinging you. It's hard to tell from your post, but it sounds like your machine is responding to a machine pinging you on your network. IANA is assigned the CIDR block 192.0.0.0/17. What is the address that's pinging you?

It's much more likely that you are dealing with a private block address. If you do a whois on one of these addresses it'll come up as registered to IANA. The private blocks are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

Could you provide logs of the traffic?

[DarkestDream]

I planned to put a full log but it really log, i start packet log for that ip address. IF you want a full log, i can email you. the file is over 800KB. so here the short version of the log i cut the most out. this log show the most recent and it all the same.

117609 12/29/2005 17:32:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

117610 12/29/2005 17:38:12 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\DRIVERS\ndisuio.sys

117611 12/29/2005 17:38:12 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

117612 12/29/2005 17:47:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\DRIVERS\ndisuio.sys

117613 12/29/2005 17:47:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

117614 12/29/2005 17:50:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\DRIVERS\ndisuio.sys

117615 12/29/2005 17:50:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

117616 12/29/2005 17:52:16 192.168.1.102 137 192.168.1.255 137 Incoming Blocked C:\WINDOWS\system32\DRIVERS\ndisuio.sys

117617 12/29/2005 17:52:16 192.168.1.102 137 192.168.1.255 137 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

[isteve]

The pings are coming from your local area network not the internet. Are you on a wireless network?

[DarkestDream]

yea, but it pinging started couple week ago. i on wireless for two years and why now?? why not two years ago?

[iccaros]

is your wireless encrypted..??

also can you do a tcp dump (ethereal is a good tool for this) and post it.. this will let us see the traffic on the system (no need to worry about IP's as you look to be running a 192.168.1.0/24 network)

adn just beacuse you have had wireless for two years does not mean some one did not get in yesterday

[DarkestDream]

i have ethereal, but how i do TCP Dump with ethereal

[iccaros]

sorry TCP DUMP is a unix tool, and like google has been verbizes... Ethereal uses the tcp dump code..

do a capture of traffic adn post if.. and keep the capture as we may ask to see some packages expanded.

I'm guessing your seeing a lot of master browser elections.. but I can's tell if I am not on the system.

[DarkestDream]

i tried to upload the attachment of my tcp dump log but the forum wont accept non-extension. it need a extension for it to upload. so which kind of format should i save it as? cant use libpcap cuz it save without extension

[iccaros]

??? txt

[DarkestDream]

here the log...

[DarkestDream]

i stop the capture after it reach 50 KB which it about 14 sec. i have the log packet details as displayed

Here the file my_tcp_file.txt

[iccaros]

what is your address? I'll bet money its 192.168.1.102

do you have gnutella installed?

[DarkestDream]

I use gnutella long time ago like two years ago, and stop using it two years ago after founding out that it illegal to share and download the copyright file

And already uninstall it two years ago too, i already check my system to make sure no trace of p2p program. the only program i use is LimeWire that time.

That not my address, that is IANA. that the address i blocked in my advanced rule in Sygate. here what WHOIS said

NetRange: 192.168.0.0 - 192.168.255.255

CIDR: 192.168.0.0/16

NetName: IANA-CBLK1

NetHandle: NET-192-168-0-0-1

Parent: NET-192-0-0-0-0

NetType: IANA Special Use

NameServer: BLACKHOLE-1.IANA.ORG

NameServer: BLACKHOLE-2.IANA.ORG

Comment: This block is reserved for special purposes.

Comment: Please see RFC 1918 for additional information.

Comment:

RegDate: 1994-03-15

Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN

OrgAbuseName: Internet Corporation for Assigned Names and Number

OrgAbusePhone: +1-310-301-5820

OrgAbuseEmail: [email protected]

OrgTechHandle: IANA-IP-ARIN

OrgTechName: Internet Corporation for Assigned Names and Number

OrgTechPhone: +1-310-301-5820

OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2005-12-30 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

Edited December 31, 2005 by DarkestDream

[iccaros]

ok tcp/ip lession..

no one from a privet address (aka unroutable) like 192.168.*.* can ping you from out side your network. It can't route.. its impossable. please read up on

tcp/ip

cider http://searchnetworking.techtarget.com/sDe...i213850,00.html

and in this case

udp port 2335 (p2p software ports)

you have gnutilla running on the system.

go to run

type

cmd

type ipconfig /all

cut and past and post all output of the command.

also looking at the logs.. I'll break this down..

you are on a switched port meaning you can only see what is being sent to and from your..

here is one packet

Ethernet II, Src: LinksysG_77:ed:6f (00:06:25:77:ed:6f), Dst: LinksysG_5f:9b:20 (00:0c:41:5f:9b:20)

Internet Protocol, Src: 68.115.142.126 (68.115.142.126), Dst: 192.168.1.102 (192.168.1.102)

Transmission Control Protocol, Src Port: 33056 (33056), Dst Port: 1550 (1550), Seq: 0, Ack: 0, Len: 37

Data (37 bytes)

address 68.115.142.126 is a internet address.... not one of your computers..

address 192.168.1.102 has to be you.... its the only way you could see traffic from 68.115.142.126 to 68.115.142.126. There is no other way..

[DarkestDream]

Windows IP Configuration

Host Name . . . . . . . . . . . . : Darkest_Dream

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : crlsca.adelphia.net

Ethernet adapter Dark Messenger:

Connection-specific DNS Suffix . : crlsca.adelphia.net

Description . . . . . . . . . . . : Wireless-G PCI Adapter

Physical Address. . . . . . . . . : 00-0C-41-60-B1-AB

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 67.21.13.7

67.21.13.6

Lease Obtained. . . . . . . . . . : Saturday, December 31, 2005 9:41:42

AM

Lease Expires . . . . . . . . . . : Sunday, January 01, 2006 9:41:42 AM

[DarkestDream]

for some reason, i cant release my ip address, it asked me to specify which adapter, i type down

ipconfig /release Wireless-G PCI Adapter

so it said it wrong so then i type

ipconfig /release Dark Messenger

and it still not releasing, it just said it wrong. even i try without the name and it still need a network name

[TheTerrorist_75]

Just use ipconfig to see what the adapter name is.

Ipconfig WinXP

[DarkestDream]

Windows IP Configuration

The operation failed as no adapter is in the state permissible for
this operation.

it didnt like me

Edited December 31, 2005 by DarkestDream

[DarkestDream]

look like it stop. i just check the packet log yesterday and today, nothing it pinging on me. that a good thing but let see later, hoping it stop