Public IP 10.180.16.1 on WAN Port (logged by router)

[blue68f100]

For the past 2 months since I upgrade to a Bussiness class network router, I have been logging attacks from a PUBLIC IP 10.180.16.1 on the WAN port. I did not look closely at the other routers log, so I have no idea how long this has been going on. It is pingable, over 30 hops some times. I sent the logs to Netgear and they said it was a hacker (or someone) tring to hide it's tracks. Doing pretty good so far. I have sent the logs to Comcast Abuse, (3-4 times now) but Comcast has refused to see it as a abuse , Infact they havn't a clue on what is happening. They think it's from my network, which has a 192.168.xxx.xxx ip. NOT MINE it's on the WAN port, Which is COMCAST. Have any one else experience this. The last one said to use www.arin.net to look it up. WAKEUP IT A PUBLIC IP ADDRESS.

I have reloaded all of my pc's with in the last month. I set the router to log and block any outbound activity to 10.180.16.1, No takers, no outbound.

I know Ports 67 & 68 are used for :

bootps 67/tcp Bootstrap Protocol Server
bootps 67/udp Bootstrap Protocol Server
bootpc 68/tcp Bootstrap Protocol Client
bootpc 68/udp Bootstrap Protocol Client

The odd thing about it is Netgear's tech support was able to do a ping and trace from India.

Here is a portion of the log, this comes through every 3-5 minutes 24/7.

Mon Jul 10 12:02:01 2006 time="2006-07-10 12:01:00" proto=17- udp packet - Source:=10.180.16.1 - Destination:=255.255.255.255 - [Destination address broadcast Src 67 Dst 68 from WAN ]

The trace shows this:

10 36 ms 36 ms 44 ms tbr2-p012301.cgcil.ip.att.net [12.123.6.13]
11 36 ms 32 ms 37 ms tbr2-cl7.sl9mo.ip.att.net [12.122.10.46]
12 33 ms 35 ms 36 ms tbr1-cl24.sl9mo.ip.att.net [12.122.9.141]
13 35 ms 35 ms 37 ms tbr2-cl6.dlstx.ip.att.net [12.122.10.90]
14 35 ms 42 ms 37 ms br2-a3120s9.dlstx.ip.att.net [12.123.16.213]
15 38 ms * 34 ms 12.116.2.6
16 35 ms 33 ms 33 ms 10g-9-1-rr01.plano.tx.dallas.comcast.net [68.87.207.82]
17 35 ms 34 ms 32 ms 10.180.16.1


The ODD thing is that Netgear's tech support in India was able to ping and trace this IP. He said it wasn't consistant. Sometimes yes sometimes no. At first they though it was a joke, till they tried it.


My Question is:

How many www users can ping this Public IP and weather or not you are a comcast user.

I think someone hooked up a pc to the wrong port and it is searching for a DHCP server that is not responding.

 

[mikeyp410]

I can ping with no drops but is destination net unreachable. I can also trace the route but it dropped after two hits and was destination net unreachable.

 

[blue68f100]

Got me, didn't allow for that option.

I can't add it since a post has been made.

 

[El0him]

10.x.x.x/8 is an RFC1918 address. It is not a public IP. This address block is not advertise in BGP at the edge of the service provider network. If Netgear can ping this address, then they have a device on their network with this IP address and their tech support thinks its the same device you are pinging than their tech support is dumber than shit.

For the past 2 months since I upgrade to a Bussiness class network router, I have been logging attacks from a PUBLIC IP 10.180.16.1 on the WAN port. I did not look closely at the other routers log, so I have no idea how long this has been going on. It is pingable, over 30 hops some times. I sent the logs to Netgear and they said it was a hacker (or someone) tring to hide it's tracks. Doing pretty good so far. I have sent the logs to Comcast Abuse, (3-4 times now) but Comcast has refused to see it as a abuse , Infact they havn't a clue on what is happening. They think it's from my network, which has a 192.168.xxx.xxx ip. NOT MINE it's on the WAN port, Which is COMCAST. Have any one else experience this. The last one said to use www.arin.net to look it up. WAKEUP IT A PUBLIC IP ADDRESS.

I have reloaded all of my pc's with in the last month. I set the router to log and block any outbound activity to 10.180.16.1, No takers, no outbound.

I know Ports 67 & 68 are used for :

bootps 67/tcp Bootstrap Protocol Server
bootps 67/udp Bootstrap Protocol Server
bootpc 68/tcp Bootstrap Protocol Client
bootpc 68/udp Bootstrap Protocol Client

The odd thing about it is Netgear's tech support was able to do a ping and trace from India.

Here is a portion of the log, this comes through every 3-5 minutes 24/7.

Mon Jul 10 12:02:01 2006 time="2006-07-10 12:01:00" proto=17- udp packet - Source:=10.180.16.1 - Destination:=255.255.255.255 - [Destination address broadcast Src 67 Dst 68 from WAN ]

The trace shows this:

10 36 ms 36 ms 44 ms tbr2-p012301.cgcil.ip.att.net [12.123.6.13]
11 36 ms 32 ms 37 ms tbr2-cl7.sl9mo.ip.att.net [12.122.10.46]
12 33 ms 35 ms 36 ms tbr1-cl24.sl9mo.ip.att.net [12.122.9.141]
13 35 ms 35 ms 37 ms tbr2-cl6.dlstx.ip.att.net [12.122.10.90]
14 35 ms 42 ms 37 ms br2-a3120s9.dlstx.ip.att.net [12.123.16.213]
15 38 ms * 34 ms 12.116.2.6
16 35 ms 33 ms 33 ms 10g-9-1-rr01.plano.tx.dallas.comcast.net [68.87.207.82]
17 35 ms 34 ms 32 ms 10.180.16.1


The ODD thing is that Netgear's tech support in India was able to ping and trace this IP. He said it wasn't consistant. Sometimes yes sometimes no. At first they though it was a joke, till they tried it.


My Question is:

How many www users can ping this Public IP and weather or not you are a comcast user.

I think someone hooked up a pc to the wrong port and it is searching for a DHCP server that is not responding.

 

[Hawkeye22]

Correct, 10.x.x.x is a private address and should never be accessable beyond your lan. Gateway routers should never advertise these addresses beyond the lan.

That said, I had a similar problem before. I sent weeks worth of router logs to my ISP (Adelphia). When they investigated, they found a rogue DHCP server on their network. They immidiately clobbered access to the person running the rogue server and I haven't had a problem since.

 

[blue68f100]

Thanks for you responce,

I have been tring to get that across to comcast but so far deaf ears. I guess I will need to expand my loging file so I can capture a 24 hr at a time. At the current rate it is filled and starts purging after a 6-8 hr period.

 

[sturm]

I get the same tracert. Leads to comcast in dallas tx.

 

[El0him]

If you are a comcast customer, chances are you may be able to see this device because large MSOs like Comcast will advertise these routes in their IGP so that their NNOC will be able to watch for problems. This is perfectly fine because the advertisement is all within Comcast's network. Any traffic from the RFC1918 addresses are considered intra-network devices and as such could be seen by any other devices sitting on the same carrier's network.

Now, back to my previous post, if Netgear thinks that the device you are pinging and the device that netgear tech support is pinging is the same device, then their tech support is dumber than shit and they're not worth talking to.

Any RFC1918 address that you can get to on the network will be intra-provider network devices. Go back to comcast and tell them you want to speak with a level III support engineer and not the ex-burger king employees.

 

[blue68f100]

All they have is Burger King techs, I tried.

To fix the problem I am moving over to Verizion FIOS service. 5 meg down 2 meg up.

 

[fredweston]

Not that I can pretend to know the answer to your question, but my ISP (road runner) uses RFC1918 addresses on my WAN side.

Example:

Tracing route to www.l.google.com [64.233.179.104]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms fw.fredwick.com [172.16.1.1]
2 6 ms 7 ms 15 ms 10.210.96.1
3 8 ms 7 ms 8 ms 97.230.95.24.cfl.res.rr.com [24.95.230.97]
4 9 ms 7 ms 8 ms 145.228.95.24.cfl.res.rr.com [24.95.228.145]
5 8 ms 9 ms 10 ms so-8-1.car2.Orlando1.Level3.net [4.79.118.17]
Etc.

As el0him said, some ISPs use the 1918 addresses internally. I assume they do it to save from having to assign "real" addresses to devices that don't need to be accessible outside their network.

 

[El0him]

I should have read your post more closely before I started flaming Netgear techsupport and yes they are still dumber than shit. This is just a DHCP broadcast. Don't worry, you're not being hacked. Unless your logs looks like this:

Jul 23 09:17:09 lyxander kernel: Firewall:IN=eth0 OUT= MAC=00:60:97:23:63:3c:00:0b:be:a8:38:15:08:00 SRC=85.59.113.81 DST=68.117.130.81 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=36538 DF PROTO=TCP SPT=4187 DPT=17314
WINDOW=16384 RES=0x00 SYN URGP=0
Jul 23 09:17:15 lyxander kernel: Firewall:IN=eth0 OUT= MAC=00:60:97:23:63:3c:00:0b:be:a8:38:15:08:00 SRC=85.59.113.81 DST=68.117.130.81 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=37008 DF PROTO=TCP SPT=4187 DPT=17314
WINDOW=16384 RES=0x00 SYN URGP=0
Jul 23 09:17:52 lyxander kernel: Firewall:IN=eth0 OUT= MAC=00:60:97:23:63:3c:00:0b:be:a8:38:15:08:00 SRC=204.16.208.115 DST=68.117.130.81 LEN=441 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=39502 DPT=1026 L
EN=421
Jul 23 09:17:52 lyxander kernel: Firewall:IN=eth0 OUT= MAC=00:60:97:23:63:3c:00:0b:be:a8:38:15:08:00 SRC=204.16.208.115 DST=68.117.130.81 LEN=441 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=39502 DPT=1027 L
EN=421
Jul 23 09:18:31 lyxander sshd(pam_unix)[9362]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:18:34 lyxander sshd(pam_unix)[9364]: check pass; user unknown
Jul 23 09:18:34 lyxander sshd(pam_unix)[9364]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156
Jul 23 09:18:35 lyxander kernel: Firewall:IN=eth0 OUT= MAC=00:60:97:23:63:3c:00:0b:be:a8:38:15:08:00 SRC=85.59.113.81 DST=68.117.130.81 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=43630 DF PROTO=TCP SPT=4250 DPT=17314
WINDOW=16384 RES=0x00 SYN URGP=0
Jul 23 09:18:37 lyxander sshd(pam_unix)[9366]: check pass; user unknown
Jul 23 09:18:37 lyxander sshd(pam_unix)[9366]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156
Jul 23 09:18:38 lyxander kernel: Firewall:IN=eth0 OUT= MAC=00:60:97:23:63:3c:00:0b:be:a8:38:15:08:00 SRC=85.59.113.81 DST=68.117.130.81 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=43845 DF PROTO=TCP SPT=4250 DPT=17314
WINDOW=16384 RES=0x00 SYN URGP=0
Jul 23 09:18:40 lyxander sshd(pam_unix)[9369]: check pass; user unknown
Jul 23 09:18:40 lyxander sshd(pam_unix)[9369]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156
Jul 23 09:18:42 lyxander sshd(pam_unix)[9371]: check pass; user unknown
Jul 23 09:18:42 lyxander sshd(pam_unix)[9371]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156
Jul 23 09:18:44 lyxander kernel: Firewall:IN=eth0 OUT= MAC=00:60:97:23:63:3c:00:0b:be:a8:38:15:08:00 SRC=85.59.113.81 DST=68.117.130.81 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=44285 DF PROTO=TCP SPT=4250 DPT=17314
WINDOW=16384 RES=0x00 SYN URGP=0
Jul 23 09:18:45 lyxander sshd(pam_unix)[9373]: check pass; user unknown
Jul 23 09:18:45 lyxander sshd(pam_unix)[9373]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156
Jul 23 09:18:48 lyxander sshd(pam_unix)[9375]: check pass; user unknown
Jul 23 09:18:48 lyxander sshd(pam_unix)[9375]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156
Jul 23 09:18:51 lyxander sshd(pam_unix)[9377]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:18:53 lyxander sshd(pam_unix)[9380]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:18:56 lyxander sshd(pam_unix)[9382]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:18:59 lyxander sshd(pam_unix)[9384]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:19:02 lyxander sshd(pam_unix)[9386]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:19:05 lyxander sshd(pam_unix)[9388]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:19:08 lyxander sshd(pam_unix)[9390]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:19:10 lyxander sshd(pam_unix)[9393]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:19:13 lyxander sshd(pam_unix)[9395]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:19:16 lyxander sshd(pam_unix)[9397]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root
Jul 23 09:19:19 lyxander sshd(pam_unix)[9399]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.87.66.156 user=root

For the past 2 months since I upgrade to a Bussiness class network router, I have been logging attacks from a PUBLIC IP 10.180.16.1 on the WAN port. I did not look closely at the other routers log, so I have no idea how long this has been going on. It is pingable, over 30 hops some times. I sent the logs to Netgear and they said it was a hacker (or someone) tring to hide it's tracks. Doing pretty good so far. I have sent the logs to Comcast Abuse, (3-4 times now) but Comcast has refused to see it as a abuse , Infact they havn't a clue on what is happening. They think it's from my network, which has a 192.168.xxx.xxx ip. NOT MINE it's on the WAN port, Which is COMCAST. Have any one else experience this. The last one said to use www.arin.net to look it up. WAKEUP IT A PUBLIC IP ADDRESS.

I have reloaded all of my pc's with in the last month. I set the router to log and block any outbound activity to 10.180.16.1, No takers, no outbound.

I know Ports 67 & 68 are used for :

bootps 67/tcp Bootstrap Protocol Server
bootps 67/udp Bootstrap Protocol Server
bootpc 68/tcp Bootstrap Protocol Client
bootpc 68/udp Bootstrap Protocol Client

The odd thing about it is Netgear's tech support was able to do a ping and trace from India.

Here is a portion of the log, this comes through every 3-5 minutes 24/7.

Mon Jul 10 12:02:01 2006 time="2006-07-10 12:01:00" proto=17- udp packet - Source:=10.180.16.1 - Destination:=255.255.255.255 - [Destination address broadcast Src 67 Dst 68 from WAN ]

The trace shows this:

10 36 ms 36 ms 44 ms tbr2-p012301.cgcil.ip.att.net [12.123.6.13]
11 36 ms 32 ms 37 ms tbr2-cl7.sl9mo.ip.att.net [12.122.10.46]
12 33 ms 35 ms 36 ms tbr1-cl24.sl9mo.ip.att.net [12.122.9.141]
13 35 ms 35 ms 37 ms tbr2-cl6.dlstx.ip.att.net [12.122.10.90]
14 35 ms 42 ms 37 ms br2-a3120s9.dlstx.ip.att.net [12.123.16.213]
15 38 ms * 34 ms 12.116.2.6
16 35 ms 33 ms 33 ms 10g-9-1-rr01.plano.tx.dallas.comcast.net [68.87.207.82]
17 35 ms 34 ms 32 ms 10.180.16.1


The ODD thing is that Netgear's tech support in India was able to ping and trace this IP. He said it wasn't consistant. Sometimes yes sometimes no. At first they though it was a joke, till they tried it.


My Question is:

How many www users can ping this Public IP and weather or not you are a comcast user.

I think someone hooked up a pc to the wrong port and it is searching for a DHCP server that is not responding.