Relentless knocking on firewall

[Guest]

Archived from groups: alt.internet.wireless (More info?)

I'm getting relentless pounding of my firewall by an IP address
10.203.185.129 which is coming thru my Motorola 5100 cable modem and
bouncing off the firewall of my Belkin 5F7230-4 DSL/cable gateway router. I
get a message shown below. There are others, but the one is very
persistant. My ISP, Charter, has been no help, sending a cable installer
that just shrugs and leaves me with 64K-107K on a 384K/128K line. Is there
anything I can do? I've changed channels and SSID and turned off
broadcasting. This has to affect performance. Here's a copy of the log:
Firewall log:
Sat Aug 21 21:27:35 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:27:51 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:28:07 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:28:09 2004 1 Blocked by DoS protection 10.202.0.1
Sat Aug 21 21:28:09 2004 1 Blocked by DoS protection 10.202.0.1
Sat Aug 21 21:28:23 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:28:39 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:28:55 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:29:03 2004 1 Blocked by DoS protection 10.202.0.1
Sat Aug 21 21:29:06 2004 1 Blocked by DoS protection 10.202.0.1
Sat Aug 21 21:29:10 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:29:14 2004 1 Blocked by DoS protection 10.202.0.1
Sat Aug 21 21:29:26 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:29:29 2004 1 Blocked by DoS protection 10.202.0.1
Sat Aug 21 21:29:42 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:29:58 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:30:14 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:30:15 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:30:30 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:30:46 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:30:46 2004 1 Blocked by DoS protection 213.64.177.151
Sat Aug 21 21:31:02 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:31:18 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:31:28 2004 1 Blocked by DoS protection 68.155.78.77
Sat Aug 21 21:31:34 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:31:50 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:31:57 2004 1 Blocked by DoS protection 172.28.88.21
Sat Aug 21 21:31:57 2004 1 Blocked by DoS protection 10.202.0.1
Sat Aug 21 21:32:06 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:32:22 2004 1 Blocked by DoS protection 10.203.185.129
Sat Aug 21 21:32:29 2004 1 Blocked by DoS protection 211.243.105.140
Sat Aug 21 21:32:38 2004 1 Blocked by DoS protection 10.203.185.129
Any ideas would be appreciated. Thanks, Terry (MO Ozarks)

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

Search results for: 10.203.185.129

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2004-08-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

"Wiz-z-z" <notme@noway.com> wrote:
>This has to affect performance.
[every few seconds:
> Sat Aug 21 21:27:35 2004 1 Blocked by DoS protection 10.203.185.129
> Sat Aug 21 21:27:51 2004 1 Blocked by DoS protection 10.203.185.129
> Sat Aug 21 21:28:07 2004 1 Blocked by DoS protection 10.203.185.129

I can't see that effecting performance, it's not very often in terms
of your broadband bandwidth.

10.*.*.* is non-routable, so it's probably coming from inside your
provider's network. Try a 'tracert 10.203.185.129' and post the
results.

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

"Jim Miller" <jim@NOSPAMjtmiller.com> wrote in news:ZY6dnTbhZ4f3kbXcRVn-
qg@comcast.com:

> Search results for: 10.203.185.129
>
> OrgName: Internet Assigned Numbers Authority
> OrgID: IANA
> Address: 4676 Admiralty Way, Suite 330
> City: Marina del Rey
> StateProv: CA
> PostalCode: 90292-6695
> Country: US
>
> NetRange: 10.0.0.0 - 10.255.255.255
> CIDR: 10.0.0.0/8
> NetName: RESERVED-10
> NetHandle: NET-10-0-0-0-1
> Parent:
> NetType: IANA Special Use
> NameServer: BLACKHOLE-1.IANA.ORG
> NameServer: BLACKHOLE-2.IANA.ORG
> Comment: This block is reserved for special purposes.
> Comment: Please see RFC 1918 for additional information.
> Comment:
> RegDate:
> Updated: 2002-09-12
>
> OrgAbuseHandle: IANA-IP-ARIN
> OrgAbuseName: Internet Corporation for Assigned Names and Number
> OrgAbusePhone: +1-310-301-5820
> OrgAbuseEmail: abuse@iana.org
>
> OrgTechHandle: IANA-IP-ARIN
> OrgTechName: Internet Corporation for Assigned Names and Number
> OrgTechPhone: +1-310-301-5820
> OrgTechEmail: abuse@iana.org
>
> # ARIN WHOIS database, last updated 2004-08-21 19:10
> # Enter ? for additional hints on searching ARIN's WHOIS database.
>
>
>

http://whatis.techtarget.com/definition/0,,sid9_gci214010,00.html

Duane

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

"Wiz-z-z" <notme@noway.com> wrote in message
news:10ig1uteif58n2c@corp.supernews.com...
> I'm getting relentless pounding of my firewall by an IP address
> 10.203.185.129 which is coming thru my Motorola 5100 cable modem and
> bouncing off the firewall of my Belkin 5F7230-4 DSL/cable gateway router.
I
> get a message shown below. There are others, but the one is very
> persistant. My ISP, Charter, has been no help, sending a cable installer
> that just shrugs and leaves me with 64K-107K on a 384K/128K line. Is
there
> anything I can do? I've changed channels and SSID and turned off
> broadcasting. This has to affect performance. Here's a copy of the log:
>
> Firewall log:
> Sat Aug 21 21:27:35 2004 1 Blocked by DoS protection 10.203.185.129
> Sat Aug 21 21:27:51 2004 1 Blocked by DoS protection 10.203.185.129
[snip]
> Any ideas would be appreciated. Thanks, Terry (MO Ozarks)

Terry,

IP numbers that start with "10" are part of three ranges dedicated to
"Detached Network Operation" - in other words, they're intended to be used
in IP networks which do NOT touch the Internet.

That means that IP numbers starting with 10 are not allowed on the Internet,
and they must be translated to "real" IP numbers before they can be routed.
There are three ranges dedicated to "detached" operation: here's the list,
from RFC1918.

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

You probably wonder why I'm throwing all this information at you, and here's
the reason: "10" addresses CAN'T COME FROM THE INTERNET! Every Internet
router routinely drops _ANY_ packet having a detached address.

In other words, it's from another modem on the cable, since cable operators
use "10" addresses for the modems. If you own the modem, check for firmware
upgrades: if your modem checks out, tell Charter they have a problem.

HTH. YMMV.

William
--
William Warren
(Filter noise from my address for direct replies.)

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

<William P.N. Smith> wrote in message
news:mm8gi05mtjqr2ue6ioe35i4qbt1qsllj5i@4ax.com...
> "Wiz-z-z" <notme@noway.com> wrote:
> >This has to affect performance.
> [every few seconds:
> > Sat Aug 21 21:27:35 2004 1 Blocked by DoS protection 10.203.185.129
> > Sat Aug 21 21:27:51 2004 1 Blocked by DoS protection 10.203.185.129
> > Sat Aug 21 21:28:07 2004 1 Blocked by DoS protection 10.203.185.129
>
> I can't see that effecting performance, it's not very often in terms
> of your broadband bandwidth.
>
> 10.*.*.* is non-routable, so it's probably coming from inside your
> provider's network. Try a 'tracert 10.203.185.129' and post the
> results.
>

Here's the results of the tracecrt :

Tracing route to 10.203.185.129 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.2.1
2 7 ms 7 ms 8 ms 10.203.185.129
Trace complete.

I assume that means it belongs to my ISP, Charter, like one of the other
posters said. As an old retired Network Admin (pre-cable and wireless), I
hate it when someone messes with my firewall.
Thanks a lot guys for all the replies. ...Terry (MO Ozarks)

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

In article <mOVVc.208145$eM2.83135@attbi_s51>,
William Warren <william_warren_noise@comcast.net> wrote:
:That means that IP numbers starting with 10 are not allowed on the Internet,

False.

:and they must be translated to "real" IP numbers before they can be routed.

Only partly true.


:You probably wonder why I'm throwing all this information at you, and here's
:the reason: "10" addresses CAN'T COME FROM THE INTERNET! Every Internet
:router routinely drops _ANY_ packet having a detached address.

Definitely false.


IP addresses in particular ranges are reserved for "private networks",
according to RFC ("Request For Comments") 1918. RFC's make
*recommendations* of technical standards, and if someone does not follow
those technical standards, all you can do is ask them politely to change;
and if they won't change, then all you can do is exile them from
"polite society" (get the major routers involved enough that they will
stop routing packets for that host or provider.) RFC's have no
legal or legislative authority or enforcement mechanisms beyond
those available when you see anyone acting boorishly -- politeness,
shaming, or ostracism.


RFC 1918 says that one "must not" allow -outgoing- packets in private
number ranges to escape to the public internet, but it (and the
follow ups to it) only say that one "should not" allow -incoming-
packets in those ranges to enter your private network.

Thus, a 10.* packet could have originated anywhere in the world that
chooses to disregard the "do not let them leak out" clause, and make it
over to you through a chain of providers who do not impliment the
"please do not let them leak in either" clause.

It is fairly common for the big ISPs (especially the cable companies)
to allow in nearly everything, as they claim that their network
performance would suffer too much if they implimented blocking
of those addresses at all of their gateways. Which might be true for
some models by some vendors, but would be false for other models by
other vendors whom impliment this kind of simple filtering in hardware.


The original poster mentioned Comcast. I am not in the US and especially
I have not done any business with Comcast, but my recollection from
previous Usenet reading is that Comcast itself uses 10.* IP addresses
internally for its own equipment. I further seem to recall that Comcast
is one of the cable companies that has a "no servers" policy and
that they attempt to enforce that policy by having their equipment
"scan" (attempt to open) some of the common server ports on all the
user machines. If my recollections are correct, then the packets could
represent Comcast itself checking to see whether you are running servers.

--
"There are three kinds of lies: lies, damn lies, and statistics."
-- not Twain, perhaps Disraeli, first quoted by Leonard Courtney

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

On 22 Aug 2004 16:54:59 GMT, roberson@ibd.nrc-cnrc.gc.ca (Walter
Roberson) wrote:


>The original poster mentioned Comcast. I am not in the US and especially
>I have not done any business with Comcast, but my recollection from
>previous Usenet reading is that Comcast itself uses 10.* IP addresses
>internally for its own equipment. I further seem to recall that Comcast
>is one of the cable companies that has a "no servers" policy and
>that they attempt to enforce that policy by having their equipment
>"scan" (attempt to open) some of the common server ports on all the
>user machines. If my recollections are correct, then the packets could
>represent Comcast itself checking to see whether you are running servers.

I'd think it is probably comcast doing sweeps to see if currently
assigned IP addresses are connected to its system. I see very
similar activity from my cable supplier (they use internet
routable IP addresses though). If the activity is looking for
"servers", then they probably would be trying port 80 where most
of their concerns would be.

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

[snip]
> Thus, a 10.* packet could have originated anywhere in the world that
> chooses to disregard the "do not let them leak out" clause, and make it
> over to you through a chain of providers who do not impliment the
> "please do not let them leak in either" clause.

I don't think that's a realistic scenario. The "chain of providers" would
have to have agreements, and router tables, in place to make it possible,
and I'd be very surprised if any ISP would expose their network to that kind
of unaccountable traffic and the risk it represents. Detached network
addresses aren't routable because there is no automated way to route them:
_EVERY_ ISP in your chain would have to set up their routers by hand, or
would have to be accepting router-table changes from non-authoritative
sources, and either way is an invitation to disaster.

> It is fairly common for the big ISPs (especially the cable companies)
> to allow in nearly everything, as they claim that their network
> performance would suffer too much if they implimented blocking
> of those addresses at all of their gateways. Which might be true for
> some models by some vendors, but would be false for other models by
> other vendors whom impliment this kind of simple filtering in hardware.

Major ISP's have to deal source-routing compromises every day, and their
network performance might suffer by doing /24 or /32 routing of "real" IP
numbers, but I don't think that any ISP, major or minor, would ever agree to
do extra work in order to let RFC1918 addresses into their network: it's
just a needless risk. And if it's an automatic table change, any ISP willing
to believe a non-authoritative source when changing routes is asking for
trouble, and they know it.

> The original poster mentioned Comcast. I am not in the US and especially
> I have not done any business with Comcast, but my recollection from
> previous Usenet reading is that Comcast itself uses 10.* IP addresses
> internally for its own equipment.

I agree. The original poster mentioned Charter, but Comcast is probably the
same: the 10.0.0.0 network is for SNMP (or other proprietary uses I can't
guess at), and doesn't leave the cable.

> I further seem to recall that Comcast
> is one of the cable companies that has a "no servers" policy and
> that they attempt to enforce that policy by having their equipment
> "scan" (attempt to open) some of the common server ports on all the
> user machines. If my recollections are correct, then the packets could
> represent Comcast itself checking to see whether you are running servers.

That's very unlikely: no "server" is going to respond to a "10" IP address,
since each customer gets a routable IP address and would only answer probes
sent to the routable address, not the "10" address assigned to the cable
modem.

I'm willing to be proven wrong, but I don't see the logic in your
explanation.

William

--
William Warren
(Filter noise from my address for direct replies.)

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

"Jim Miller" <jim@NOSPAMjtmiller.com> wrote in message
news:ZY6dnTbhZ4f3kbXcRVn-qg@comcast.com...
> Search results for: 10.203.185.129
>
> OrgName: Internet Assigned Numbers Authority
> OrgID: IANA
> Address: 4676 Admiralty Way, Suite 330
> City: Marina del Rey
> StateProv: CA
> PostalCode: 90292-6695
> Country: US
>
> NetRange: 10.0.0.0 - 10.255.255.255
> CIDR: 10.0.0.0/8
> NetName: RESERVED-10
> NetHandle: NET-10-0-0-0-1
> Parent:
> NetType: IANA Special Use
> NameServer: BLACKHOLE-1.IANA.ORG
> NameServer: BLACKHOLE-2.IANA.ORG
> Comment: This block is reserved for special purposes.
> Comment: Please see RFC 1918 for additional information.
> Comment:
> RegDate:
> Updated: 2002-09-12
>
Jim,

Sorry to interrupt, but how exactly did you get that information from the IP
address? I have a wireless router here at home with three computers on it
and am sometimes curious to know who is knocking. I have MAC filtering and
WEP set, plus firewall, so I'm not worried just curious.

Thanks,

Alanb

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

google 'whois'

jtm


"Alan Bernardo" <master@oforion.net> wrote in message
news:eJaWc.54190$mD.50775@attbi_s02...

"Jim Miller" <jim@NOSPAMjtmiller.com> wrote in message
news:ZY6dnTbhZ4f3kbXcRVn-qg@comcast.com...
> Search results for: 10.203.185.129

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

"Jim Miller" <jim@NOSPAMjtmiller.com> wrote in message
news:Z5Wdnbx-SfHRpLTcRVn-pA@comcast.com...
> google 'whois'
>
> jtm
>
>
> "Alan Bernardo" <master@oforion.net> wrote in message
> news:eJaWc.54190$mD.50775@attbi_s02...
>
> "Jim Miller" <jim@NOSPAMjtmiller.com> wrote in message
> news:ZY6dnTbhZ4f3kbXcRVn-qg@comcast.com...
>> Search results for: 10.203.185.129
>
>

Thanks, Jim.

Alanb

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

"Wiz-z-z" <notme@noway.com> wrote:
>Tracing route to 10.203.185.129 over a maximum of 30 hops
>1 1 ms <1 ms <1 ms 192.168.2.1
>2 7 ms 7 ms 8 ms 10.203.185.129

Yea, it's inside your provider's network, probably one of their
computers checking up on you, either to see if you are still alive, to
see if you have open security, or (if they have an infected machine)
trying to give you a virus. You can complain to them, but even
getting them to understand what you are talking about is going to be
an exercise in futility... 8*)

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

"stephen" <stephen_hope.xx@ntlxworld.com> wrote in message
news:qRsWc.1297$qR3.583@newsfe6-gui.ntli.net...
> "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
> news:cgb6sb$nkn$1@canopus.cc.umanitoba.ca...
> > In article <Ej7Wc.38782$Fg5.11673@attbi_s53>,
> > William Warren <william_warren_noise@comcast.net> wrote:
> > :> I further seem to recall that Comcast
> > :> is one of the cable companies that has a "no servers" policy and
> > :> that they attempt to enforce that policy by having their equipment
> > :> "scan" (attempt to open) some of the common server ports on all the
> > :> user machines. If my recollections are correct, then the packets
could
> > :> represent Comcast itself checking to see whether you are running
> > :> servers.
> >
> > :That's very unlikely: no "server" is going to respond to a
> > :"10" IP address, since each customer gets a routable IP
> > :address and would only answer probes sent to the
> > :routable address, not the "10" address assigned to the cable
> > :modem.
>
> Nope - no special knowledge of unusual network numbers is normally built
> into an IP stack (well - maybe the loopback and the auto config range of
> 169.254). After all, the addressing rules have changed over the years, and
> are likely to continue to do so.

I'm sorry, I didn't make my point clearly: OF COURSE a machine would
responde to a probe sent to e.g. 10.1.1.2, _IF_ that was the address
assigned to that machine.

However, at least in the Comcast system I use, the user's router or gateway
or PC is assigned a non-1918 address. In other words, even if 10.x.x.x
addresses are used by Comcast to control their cable modems, I don't think
that the router or PC on the client side of the modem is aware of it or able
to respond to probes sent via the 10.x.x.x address. AFAIK, any probe would
be answered only if it was sent to the routable address assigned to the
router. Of course, the person running the service would have to have the
appropriate port forwarded into his server.

I hope that is more clear.

William

--
William Warren
(Filter noise from my address for direct replies.)

 

[Guest]

Archived from groups: alt.internet.wireless (More info?)

In article <sswWc.299892$a24.269818@attbi_s03>,
William Warren <william_warren_noise@comcast.net> wrote:
:I'm sorry, I didn't make my point clearly: OF COURSE a machine would
:responde to a probe sent to e.g. 10.1.1.2, _IF_ that was the address
:assigned to that machine.

:However, at least in the Comcast system I use, the user's router or gateway
r PC is assigned a non-1918 address. In other words, even if 10.x.x.x
:addresses are used by Comcast to control their cable modems, I don't think
:that the router or PC on the client side of the modem is aware of it or able
:to respond to probes sent via the 10.x.x.x address. AFAIK, any probe would
:be answered only if it was sent to the routable address assigned to the
:router. Of course, the person running the service would have to have the
:appropriate port forwarded into his server.

You still seem to have missed the point that the OP was showing
*source* IPs, not destination IPs.

Any device is only going to respond to packets that have in them
the IPs assigned to it together with the various broadcast and multicast
IPs (unless you start cheating down at the MAC level.) That's not in
question. If the user's device is assigned a 10.* address as the ISP's
version of a routable IP, then there's nothing stopping that possibility
as long as the IP gets NAT'd before leaving the ISP's network.

But whether or not the user's device is assigned a 10.* address or a full
routable IP, you still have the situation that a nontrivial number of
ISPs do not block packets that have 10.* -source- IPs from entering
their network. Chain enough of those together and you can't tell
where the original packet came from. Any reply your machine makes
isn't likely to get back to the original machine ■, but there
are virus attacks and DoS attacks that don't care whether the
reply gets back.

■ It's not entirely impossible that the 10.* reply would get back.
If the sender was somewhere on the infrastructure that the 10.*
route happens to lead back to (if only as the default route
until the network edge), then the sender could snatch the reply packet.
There have been cases, historically, of ISP routres being taken over.
But it's uncommon -- replies to 10.* sourced packets will almost always
get dropped somewhere along the way.
--
"There are three kinds of lies: lies, damn lies, and statistics."
-- not Twain, perhaps Disraeli, first quoted by Leonard Courtney