1. Home
  2. Networking Firewalls
  3. Firewall getting hit...help...

Firewall getting hit...help...

My internet has been slow as heck lately. Sometime pages take minutes to load...sometimes seconds. After playing around with my router, I checked the security log and got this:

Fri Jul 22 17:47:19 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:19 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:19 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:28 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:28 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:41 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:41 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:42 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:42 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:42 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:42 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:48 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:52 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:59 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:47:59 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:02 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:05 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:05 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:05 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:05 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:05 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:05 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:06 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:06 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:11 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:17 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:28 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:28 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:28 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:28 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:29 2005 1 Blocked by DoS protection 10.160.116.1 Fri Jul 22 17:48:29 2005 1 Blocked by DoS protection 10.160.116.1

As you can see, something is hitting my firewall several times a second...but as I understand it, 10.160.116.1 is not a public IP address. Can this be what is slowing my internet down? Anyone have any ideas how to stop this relentless hits? Please realize that I'm not a techno-wiz...so layman's speak would help.

Thanks!

Reply to
lokch
Loading thread data ...

On 22 Jul 2005 17:54:36 -0700, snipped-for-privacy@yahoo.com wrote: ....

Querying whois.arin.net [69.25.34.144]...

OrgName: Internet Assigned Numbers Authority OrgID: IANA Address: 4676 Admiralty Way, Suite 330 City: Marina del Rey StateProv: CA PostalCode: 90292-6695 Country: US

NetRange: 10.0.0.0 - 10.255.255.255 CIDR: 10.0.0.0/8 NetName: RESERVED-10 NetHandle: NET-10-0-0-0-1 Parent: NetType: IANA Special Use NameServer: BLACKHOLE-1.IANA.ORG NameServer: BLACKHOLE-2.IANA.ORG Comment: This block is reserved for special purposes. Comment: Please see RFC 1918 for additional information. Comment: RegDate: Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN OrgAbuseName: Internet Corporation for Assigned Names and Number OrgAbusePhone: +1-310-301-5820 OrgAbuseEmail: snipped-for-privacy@iana.org

OrgTechHandle: IANA-IP-ARIN OrgTechName: Internet Corporation for Assigned Names and Number OrgTechPhone: +1-310-301-5820 OrgTechEmail: snipped-for-privacy@iana.org

# ARIN WHOIS database, last updated 2005-07-22 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.

-- end --

So looks like this IP NetRange should not be used by anyone?

Reply to
Dave Lambert

Since the 10.0.0.0/8 range is private you have two possible reasons:

1) Your ISP has setup the 10 range for their customers and is natting your connections 2) The report is telling you the actual IP of the computer doing the attack and is reporting its private address instead of it's public Address.

So, what is your IP on your Public Connection - not just your IP, but your gateway?

Are you using 10.x.y.z inside your LAN? if so, have you checked your machines to see if it's not you going outbound?

Have you reported this to your ISP?

Reply to
Leythos

1918 Address Allocation for Private Internets. Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear. February 1996. (Format: TXT=22270 bytes) (Obsoletes RFC1627, RFC1597) (Also BCP0005) (Status: BEST CURRENT PRACTICE) 3330 Special-Use IPv4 Addresses. IANA. September 2002. (Format: TXT=16200 bytes) (Status: INFORMATIONAL)

The comment in the whois reply gives a huge clue. Point your browser at any search engine, and grab copies of these two RFCs.

Web Results 1 - 10 of about 64,400 for RFC1918. (0.40 seconds)

And the first hit is

formatting link
which is one of dozens of authoritative mirrors of the IETF.

Briefly - they can be used for local purposes, and should not get out onto the Internet. The O/P is seeing them because his ISP (Comcast) is using the 10.0.0.0/8 address range for local use. I've seen previous postings where 10.160.11x.x was mentioned, but google isn't helping me find any.

Old guy

Reply to
Moe Trin

You use a cable modem, right? If the ports are 67 or 68 than bingo! That address is most likely your cable network trying to renew your IP as part of the DHCP protocol. I know this is a little too technical for you but DHCP is not easy to explain...

Take a look at this:

formatting link
It is a common mistake to have firewalls block necessary IPs/ports needed for the DHCP protocol. When those are blocked, what usually happens is that at some point your connection is lost. It might be that it automatically reconnects (during which you will think your connection is slow or timing out) or it might not reconnect at all needing some kind of reboot (and you might think something is wrong with your hardware).

Here's an easy way to confirm 10.160.116.1 is benign. Open a DOS window. Type: tracert

formatting link
If the first hop (in some cases second) is 10.160.116.1, than that is the UBR and you should configure your firewalls so that it can pass through.

Reply to
speeder

This IP range is widely used because it is one of the three ranges that can be used by anybody for *private* networks. Because these addresses can be used by anyone they must not be routed on a public network (the internet). Very often adresses from the private ranges (10.0.0.0/8 172.16.0.0/12 and

192.168.0.0./16) are used behind NAT devices. Read RfC-1918

Wolfgang

Reply to
Wolfgang Kueter

It is used by a lot of people. Even Juno and GMail.

Juno mail:

---------- |Return-path: |Received: from outbound-mail.nyc.untd.com (64.136.20.164) by aosake.net (Mercury/32 v4.01b) ID MG000061; | 26 Mar 2005 23:56:44 -0800 |Received: from outbound21-sr.nyc.untd.com (webmail22.nyc.untd.com [10.141.27.162]) | by smtpout04.nyc.untd.com with SMTP id AABBEN352AJ3JG42 | for (sender ); | Sat, 26 Mar 2005 23:57:44 -0800 (PST) |X-UNTD-OriginStamp: 1/KFAzrwXeMHnTzKqtZMficoFC8jV7WWN76Y0c5VbdtsS27VSO53rQ==

----------

GMail:

------ |Return-path: |Received: from rproxy.gmail.com (64.233.170.202) by aosake.net (Mercury/32 v4.01b) with ESMTP ID MG000064; | 27 Mar 2005 00:02:17 -0800 |Received: by rproxy.gmail.com with SMTP id 40so766467rnz | for ; Sun, 27 Mar 2005 00:03:22 -0800 (PST) |DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; | s=beta; d=gmail.com; | h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; | b=XfV+izBZNU6dyHfnr/AS5CLBHzCQ0ghTi8SSb6DbHTCasAwxyaCLqYZ445yXdVZvvjzTA3HtRwfwQBFgVgN8Mtx/V1NaoNPNxBf5C2UyQbs3fM2X6VzQJzt+bIyU5sueAeR5guwJ9QE5TBHmPpXgFsXxVNY6UW7EfkK93RDRYGw= |Received: by 10.38.206.25 with SMTP id d25mr895874rng; | Sun, 27 Mar 2005 00:03:22 -0800 (PST) |Received: by 10.38.206.24 with HTTP; Sun, 27 Mar 2005 00:03:22 -0800 (PST) |Message-ID:

------

And what about my own mail client?

---------------------------------- |X-Apparently-To: ***@yahoo.co.jp via web3107.mail.bbt.yahoo.co.jp; Thu, 30 Jun

2005 16:48:34 +0900 |Return-Path: |Received: from ylpvm53-ext.prodigy.net (EHLO ylpvm53.prodigy.net) (207.115.57.84) | by mta20.mail.yahoo.co.jp with SMTP; Thu, 30 Jun 2005 16:48:33 +0900 |Received: from aosake.net (adsl-64-161-29-199.dsl.sntc01.pacbell.net [64.161.29.199]) | (authenticated bits=0) | by ylpvm53.prodigy.net (8.12.10 auth mps linux/8.12.10) with ESMTP id j5U7mSjr030101; | Thu, 30 Jun 2005 03:48:30 -0400 |Received: from Spooler by aosake.net (Mercury/32 v4.01b) ID MO00000E; | 30 Jun 2005 00:48:29 -0700 |Received: from spooler by aosake.net (Mercury/32 v4.01b); 30 Jun 2005 00:48:16

-0700 |Received: from [192.168.102.100] (192.168.102.100) by aosake.net (Mercury/32 v4.01b) with ESMTP ID MG00000D; | 30 Jun 2005 00:48:04 -0700 |Message-ID:

----------------------------------

It can be used by anybody who has a need. But it is blocked from use on the Internet by the BGP routers.

Reply to
NormanM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.