Should traffic with these IP addresses get through

  Batch 18:59 07 Jan 2008
Locked

When I first got broadband (nearly 3 years ago) and installed a 3Com router, I found that Zone Alarm rarely blocked any incoming TCP / UDP scans / attacks etc. (because they were being stopped by the router). Those that did get through (to ZA) had a destination IP as allocated by my ISP (and used by the router facing out to the external world on the Internet). I didn't really give these anythought at the time, but with hindsight, it seems odd that these should be passed on to the PC with the "extermal" IP as the destination IP. Maybe that's part of my ignorance though.

Anyhow, lately I've seen scans etc. getting through to (and blocked by) ZA with a destination IP of my private IP range (e.g. 192.168.1.17). These source IPs are generally in Russia, Poalnd etc. My question really relates to these. These information in ZA suggests that the remote (source) IP is sending out traffic with a destination IP of 192.168.1.17. But how does this even get routed (to me), as surely it must be routed (over the Internet) using the external IP as allocated by my ISP? In any event, surely the router should not route (over my LAN) any traffic from the Internet that is using IP addresses in one of the private IP ranges (isn't that very basic security)?

One additional piece of information. The 3com router was replaced a few months ago (under warranty) as the original one went belly up. 3Com sent me a later model. It has teh latest firmware installed.

Any info that can shed light / educate would be useful.

  pchelper001 19:03 07 Jan 2008

it may be your isp's servers or the ip's are sent to your ip for example; 000.000.000.000:192.168.0.17

anything else and i am not sure.

  Scottiedogg 20:02 07 Jan 2008

Hi Batch, this is quite normal. Your private ip is only used within your LAN to identify which host (PC) it has been sent from (bear in mind many LAN's have more than one PC). Whenever you send data onto the internet of any description (requests for webpages, email etc..) your private ip address is encapsulated within a 'frame' of data as the source address. Also attached to this frame is a 'frame header' with the external ip address labelled as the source. Once on the outside of your router, only the external ip address is of use as thousands upon thousands of routers worldwide use the same range of private ip addreses. When data returns to your router, The outer 'packaging' is removed from the frame to reveal the private ip address of the machine which originally issued the request - your PC - and the data is forwarded as such. Only the router to PC connection has any use for the private ip addresses even though they are sent onto the internet. The reason you only see the private ip address on your PC is because the external ip only goes as far as the internet-side of your router so your PC and any net related software will only use Private ip's - your router will also have a private ip address LAN-side which will be your default gateway.
Type the following into a command prompt to see your ip information:
ipconfig /all

Hope this helps, Scott

  Jim_F 22:54 07 Jan 2008

It may be that some of the security settings are changed - Routers/Firewalls can block unsolicited WAN requests (pings) from the internet - but only if you set them up to do this - if not they will perform an address translation into your private network and pass them on.

  Batch 08:35 08 Jan 2008

Thanks for the input guys.

Scottiedogg - I understand what your saying, but that begs the question as to why ZA logs are showing some items with a destination IP of my external IP address. Although it is interesting to note that all of these have the same date -02/12/2006 (BTW, that's not a typo). Even if the router firewall was turned off, from what you say, I wouldn't expect these to get through to the PC.

Jim_F - ICMP Ping is blocked at the router (and always has been).

As an aside, I noticed that MSS Clamping is enabled (by default) on this router (the old router didn't have an option for this). Given that I'm using PPPoA with MTU of 1492 (again the default), does MSS Clamping being enabled make any difference?

  Jim_F 09:23 08 Jan 2008

Is SPI also enabled ?

I'd also check that no routeings (or forwarding) are set up - in my setup the only routeing is from your external (ISP IP address) to the firewall.

I haven't used PPoE much but would have thought that MTU and MSS Clamping were more about setting/advertising packet sizes.

  Batch 09:40 08 Jan 2008

Yep! SPI enabled (with Firewall protection level set at high - the default). I'm pretty thorough with setting things up and security is top of the list. E.g. NAT is enabled, Universal PnP is disabled.

No translations or routings are set-up.

I also got the impression that MSS Clamping was to do with packet sizes, but on this router it is one of the options on the Security Tab. Unfortunately the Help / manual aren't very helpful.

  Jim_F 18:02 08 Jan 2008

I can only wonder if web pages you viewed linked advertising from these addresses so these would be seen as responses to requests issued from your machine. Otherwise - as you say - I'd expect these to be blocked.

  Batch 15:08 18 Jan 2008

I've been monitoring the blocked traffic in ZA and nothing else with private IP addresses has appeared.

However, a couple of days ago ZA did block an incoming from 24.64.216.96:31745 and to 217.135.244.200:1026.

With this the question is even more pertinent!!! Neither of these are my external IP address and they aren't in the private IP range. So why is this even getting to my router in the first place, let alone being allowed through by the router (to be blocked by ZA)?

  Jim_F 14:14 20 Jan 2008

It might be worth testing your own security with the shields up site: click here

Looking at router logs there is a lot of activity from the address range you identify but like you I wouldn't expect to see this at the computer.

  MoboMoFo 15:25 21 Jan 2008

Does your router not have a firewall? Is it turned on.

The IP address 24.64.216.96 you have listed traces back to Shawnet telecommunications in America the is a Panther dialup account.

Both ports you have listed 31745 and port 1026 are known trojan ports..

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Galaxy Note 8 vs iPhone X

Awful clip art from 1994 is being tweeted every hour by a bot

How to update iOS on iPhone or iPad

Les meilleures applications pour enfants 2017