A
Amanda George
I use a network sniffer to monitor traffic on our office
LAN. I have seen a 2 host PCs in my office communicating
w/ some strange IP addresses which don't resolve to DNS
addresses. Sometimes, both hosts communicate with the IP
address or one on the same subnet. When a host has a
conversation w/ these IP addresses, there is often a
large byte transfer on the network. These IP's use Port
80, and on the client-side, the host port varies from TCP
1192 to TCP 1883...any where in that range. The port
changes all the time. I have looked them up in the ARIN
who-is database to find related organization or business-
related info. Link:
http://www.webyield.net/domainquery.html . For example,
I will see a PC communicate with an IP address associated
with unknown.level3.net (63.210.62.86). Others I have
seen are 81.52.250.105, which relates to the RIPE
Coordination Centre when researched on the ARIN database,
and 208.254.0.31 which related to UUNet(which is related
to our data center). After running trace routes and doing
more research, some of these strange IPs relate to
akamai.com and sprintlink. Our company does not use any
Internet services from these companies, nor has any
connection to them. I have run a virus scan and a
spyware scan and made sure all critical security updates
were installed on one of the three PCs and the IP
addresses still appeared after all that. I can see the
IP addresses communicating with a host PC even while a
user is logged off, which leads me to believe the cause
doesn't relate to a user's internet activity. Is there a
way in XP to block this type of activity? How can I get
these IP addresses to disappear from our LAN? Please
advise, thank you.
LAN. I have seen a 2 host PCs in my office communicating
w/ some strange IP addresses which don't resolve to DNS
addresses. Sometimes, both hosts communicate with the IP
address or one on the same subnet. When a host has a
conversation w/ these IP addresses, there is often a
large byte transfer on the network. These IP's use Port
80, and on the client-side, the host port varies from TCP
1192 to TCP 1883...any where in that range. The port
changes all the time. I have looked them up in the ARIN
who-is database to find related organization or business-
related info. Link:
http://www.webyield.net/domainquery.html . For example,
I will see a PC communicate with an IP address associated
with unknown.level3.net (63.210.62.86). Others I have
seen are 81.52.250.105, which relates to the RIPE
Coordination Centre when researched on the ARIN database,
and 208.254.0.31 which related to UUNet(which is related
to our data center). After running trace routes and doing
more research, some of these strange IPs relate to
akamai.com and sprintlink. Our company does not use any
Internet services from these companies, nor has any
connection to them. I have run a virus scan and a
spyware scan and made sure all critical security updates
were installed on one of the three PCs and the IP
addresses still appeared after all that. I can see the
IP addresses communicating with a host PC even while a
user is logged off, which leads me to believe the cause
doesn't relate to a user's internet activity. Is there a
way in XP to block this type of activity? How can I get
these IP addresses to disappear from our LAN? Please
advise, thank you.