Iana Keep Pinging Me.... Is This Normal?


Recommended Posts

My Sygate shut down the internet access because IANA keep pinging on me. so i am not sure what is going on. I backtrace the ip address and found out that IANA is doing this. it pinging on two apps, NT Kernel & System and NDIS User mode I/O Driver and it sending info to IANA too. so i created a advanced rule to block that ip address, it did but it still pinging on two apps. so i told the rule to dont allow those access to two apps. and it blocking it. So i ask it to make a packet log of it. amazing, it pinging on me every two min, but it blocked already. it all incoming. one outgoing from NDIS USer Mode I/O Driver.

Why IANA is doing this?

Link to post
Share on other sites
My Sygate shut down the internet access because IANA keep pinging on me. so i am not sure what is going on. I backtrace the ip address and found out that IANA is doing this. it pinging on two apps, NT Kernel & System and NDIS User mode I/O Driver and it sending info to IANA too. so i created a advanced rule to block that ip address, it did but it still pinging on two apps. so i told the rule to dont allow those access to two apps. and it blocking it. So i ask it to make a packet log of it. amazing, it pinging on me every two min, but it blocked already. it all incoming. one outgoing from NDIS USer Mode I/O Driver.

Why IANA is doing this?

Internet Assigned Numbers Authority

Do you have a web page that you maintain?

IANA

Link to post
Share on other sites
  • 2 weeks later...

The IANA isn't pinging you. It's hard to tell from your post, but it sounds like your machine is responding to a machine pinging you on your network. IANA is assigned the CIDR block 192.0.0.0/17. What is the address that's pinging you?

It's much more likely that you are dealing with a private block address. If you do a whois on one of these addresses it'll come up as registered to IANA. The private blocks are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

Could you provide logs of the traffic?

Link to post
Share on other sites

I planned to put a full log but it really log, i start packet log for that ip address. IF you want a full log, i can email you. the file is over 800KB. so here the short version of the log i cut the most out. this log show the most recent and it all the same.

117609 12/29/2005 17:32:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

117610 12/29/2005 17:38:12 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\DRIVERS\ndisuio.sys

117611 12/29/2005 17:38:12 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

117612 12/29/2005 17:47:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\DRIVERS\ndisuio.sys

117613 12/29/2005 17:47:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

117614 12/29/2005 17:50:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\DRIVERS\ndisuio.sys

117615 12/29/2005 17:50:11 192.168.1.102 138 192.168.1.255 138 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

117616 12/29/2005 17:52:16 192.168.1.102 137 192.168.1.255 137 Incoming Blocked C:\WINDOWS\system32\DRIVERS\ndisuio.sys

117617 12/29/2005 17:52:16 192.168.1.102 137 192.168.1.255 137 Incoming Blocked C:\WINDOWS\system32\ntoskrnl.exe

Link to post
Share on other sites

is your wireless encrypted..??

also can you do a tcp dump (ethereal is a good tool for this) and post it.. this will let us see the traffic on the system (no need to worry about IP's as you look to be running a 192.168.1.0/24 network)

adn just beacuse you have had wireless for two years does not mean some one did not get in yesterday

Link to post
Share on other sites

sorry TCP DUMP is a unix tool, and like google has been verbizes... Ethereal uses the tcp dump code..

do a capture of traffic adn post if.. and keep the capture as we may ask to see some packages expanded.

I'm guessing your seeing a lot of master browser elections.. but I can's tell if I am not on the system.

Link to post
Share on other sites

what is your address? I'll bet money its 192.168.1.102

do you have gnutella installed?

Link to post
Share on other sites

I use gnutella long time ago like two years ago, and stop using it two years ago after founding out that it illegal to share and download the copyright file

And already uninstall it two years ago too, i already check my system to make sure no trace of p2p program. the only program i use is LimeWire that time.

That not my address, that is IANA. that the address i blocked in my advanced rule in Sygate. here what WHOIS said

NetRange: 192.168.0.0 - 192.168.255.255

CIDR: 192.168.0.0/16

NetName: IANA-CBLK1

NetHandle: NET-192-168-0-0-1

Parent: NET-192-0-0-0-0

NetType: IANA Special Use

NameServer: BLACKHOLE-1.IANA.ORG

NameServer: BLACKHOLE-2.IANA.ORG

Comment: This block is reserved for special purposes.

Comment: Please see RFC 1918 for additional information.

Comment:

RegDate: 1994-03-15

Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN

OrgAbuseName: Internet Corporation for Assigned Names and Number

OrgAbusePhone: +1-310-301-5820

OrgAbuseEmail: [email protected]

OrgTechHandle: IANA-IP-ARIN

OrgTechName: Internet Corporation for Assigned Names and Number

OrgTechPhone: +1-310-301-5820

OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2005-12-30 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

Edited by DarkestDream
Link to post
Share on other sites

ok tcp/ip lession..

no one from a privet address (aka unroutable) like 192.168.*.* can ping you from out side your network. It can't route.. its impossable. please read up on

tcp/ip

cider http://searchnetworking.techtarget.com/sDe...i213850,00.html

and in this case

udp port 2335 (p2p software ports)

you have gnutilla running on the system.

go to run

type

cmd

type ipconfig /all

cut and past and post all output of the command.

also looking at the logs.. I'll break this down..

you are on a switched port meaning you can only see what is being sent to and from your..

here is one packet

Ethernet II, Src: LinksysG_77:ed:6f (00:06:25:77:ed:6f), Dst: LinksysG_5f:9b:20 (00:0c:41:5f:9b:20)

Internet Protocol, Src: 68.115.142.126 (68.115.142.126), Dst: 192.168.1.102 (192.168.1.102)

Transmission Control Protocol, Src Port: 33056 (33056), Dst Port: 1550 (1550), Seq: 0, Ack: 0, Len: 37

Data (37 bytes)

address 68.115.142.126 is a internet address.... not one of your computers..

address 192.168.1.102 has to be you.... its the only way you could see traffic from 68.115.142.126 to 68.115.142.126. There is no other way..

Link to post
Share on other sites

Windows IP Configuration

Host Name . . . . . . . . . . . . : Darkest_Dream

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : crlsca.adelphia.net

Ethernet adapter Dark Messenger:

Connection-specific DNS Suffix . : crlsca.adelphia.net

Description . . . . . . . . . . . : Wireless-G PCI Adapter

Physical Address. . . . . . . . . : 00-0C-41-60-B1-AB

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 67.21.13.7

67.21.13.6

Lease Obtained. . . . . . . . . . : Saturday, December 31, 2005 9:41:42

AM

Lease Expires . . . . . . . . . . : Sunday, January 01, 2006 9:41:42 AM

Link to post
Share on other sites

for some reason, i cant release my ip address, it asked me to specify which adapter, i type down

ipconfig /release Wireless-G PCI Adapter

so it said it wrong so then i type

ipconfig /release Dark Messenger

and it still not releasing, it just said it wrong. even i try without the name and it still need a network name

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...