cancel
Showing results for 
Search instead for 
Did you mean: 

IP address question

N/A

IP address question

Hi.

Can anyone from +net advise what this ip address relates to please? Is it a machine on +net's own network? 212.159.13.50

Cheers.

*edit*

Duh. DNS, right? So how comes this device is probing me on port 3389?
11 REPLIES
N/A

IP address question

After a quick look I have the following information

212.159.13.50 = pth-cdns-02.plus.net

Port 3389 is a MS WBT Server server.

However, the port is above 1024, which sugest is may not be an incoming attack, but a flase-posative

The machine contacting you is one of the DNS servers PlusNet provide. If you are seeing message about it, it may be your firewall compaining when it shouldn't.

Along with that port and address, there should be a second port number, attached onto the address of the PlusNet server. What number is this.
N/A

IP address question

The remote port is port 53, which I know is a port used by DNS. Not sure why it should be probing 3389 on my network though.

The firewall is not being over-sensitive, because the vast majority of incoming usolicited connections will be discarded by my NAT router. I've got specific ports forwarded from that router (in this instance, port 3389 for remote desktop web access), with the software firewall set to accept connections only from specific ip addresses. It's alerting me because I've asked it to specifically alert me of attempted connections on this particular port Smiley
N/A

IP address question

Yuk, I have re-written this reply because it was ugly.

First off, this isn’t an attack, but the way in which the internet works. Sometimes it will show as an attack, sometimes it won’t. I will try showing an example here to show why it does.

You have to think of IP addresses as houses and offices. Each one has a unique address through which you can reach it.

Think of a port number as a member of that house or office.

When contacting a machine on the internet, you direct your traffic a specific address and port, ie, a specific person in the house.

The problem is, that machine/person needs to know who to reply to. As such, the data also holds a from address and port.

You could possibly just send the information back to the machine without a port, however, in machine life, nothing is simple, everything must have a specific target.

One reason would be when sending multiple requests from a single machine.

One computer may make two connections to a separate machine on the same port. One example would be sending an e-mail.

When the server responds to that person, how does you computer know which connection is which, unless each connection can be uniquely identified. The from port does this.

In your case, the response is coming into your machine on a port that your firewall is monitoring.

Normally, you computer shouldn’t use a from port that is being listened to. However, there are two protocols, UDP and TCP. Your machine will likely be listening on TCP, but DNS queries usually operate on UDP.

You might like to try and set your computer to only monitor TCP traffic, and depending on your router, you can tell it only to forward TCP traffic (the SAR routers can).

Can you confirm if your firewall is noting a UDP or TCP attack? If it is UDP, then it is a simple case of your firewall being a little sensitive / user settings.
N/A

IP address question

acarr, thanks for taking the time to explain, but you're you're teaching your grandma to suck eggs here Smiley

I know how the internet works, and I understand what ports are used for, why we need them, and how they operate. The reason my firewall is catching these connections is because I understand this, and I specifically want to monitor activity on this port.

What I fail to understand and am seeking an explanation for, is why a DNS server should be sending packets of any description to port 3389 (regardless of originating port). I'm sure there's a rational explanation. I'm not one of these paranoid people who thinks they're being subject to a hacking attempt every time their firewall hiccups. I don't think that it can be an echo as you suggest though, since that would mean that my pc would have originated a connection to DNS over port 3389 (which it has never felt a need to in the past!), or else DNS would not be replying on this port.
N/A

IP address question

It is arriving at port 3389 because your PC is telling it to.

As you understand (which you have now noted), you computer expects the reply to the query on the port it sends it from.

IE

YourPC sends DNS requests to PlusNet, to port 53, from port 3389.

PlusNet sends reply to your system, to port 3389, from port 53

This port is pulled out of the available ports in sequence starting at port 1024.
N/A

IP address question

Yes, I understand all this, but in order for windows to be initiating a communication to dns on port 3389, it would require that this port not be already in use by a running service - which in this case it is. I know windows dynamically picks a port between 1024 and 5000, but only if there is not an active service running on this port.

Sooooooo...... it follows that since there is a running service on port 3389, this port is not available for windows dynamic port allocation. This being the case, there is one of two possibilities. Either (a) +net dns is originating an unsolicited connection to port 3389, or (b) the running service on port 3389 has initiated a service to +net dns. I'm open to the latter possibility, but this seems unlikely since this is a new phenomenon. However, I can set up my firewall to log all outgoing communication on that port, just to be certain.
N/A

IP address question

Yes, but is your firewall picking up UDP, TCP or both?

DNS queries for the most part, are performed in UDP.

As a IP stack can listen on both UDP and TCP at the same time, but for different purposes, this may well be why you are seeing this.
N/A

IP address question

That would make sense. I had assumed that the fact that a tcp service was listening on 3389 would make it unavailable for udp as well. Are you saying that this is not the case?
N/A

IP address question

I am trying to find out some of that now.

The TCP/IP stack in Windows 98 is obviosuly very different from that of XP, and the newer XP one, while based around *nix, is still different.

I won't pretend I understand the stack properly (hell, I have problems with some basic route details), but this may be along the right lines.

TCP and UDP are seperate, as noted above, int he fact that too different services can use the same port, one on UDP the other on TCP.

However, selection of ports as the from address may steer clear, though I suspect not, it may just keep it tied as TCP for TCP and UDP to UDP.

It depends how the lookup tables are referanced, stored and queired.
N/A

IP address question

Well I think we're probably on the right track with this, as everything else seems pretty unlikely. I'm going to go and have a little googling and see what I can dig up. This ones got me puzzled now, although if udp can allocate ports that are in use already by tcp, this may well explain a few past anomalies that I've never been able to get answers to.
N/A

IP address question

Hi,

UDP ports and TCP ports are effectively completely seperate from each other, although they serve a similar pupose for each respective protocol.

You can easily have port xxxx doing one thing for TCP and something completely different for UDP, as UDP and TCP are independant of each other.

Services that are capable of using both TCP and UDP (such as DNS) will often use the same port number (53) for both protocols mainly for simplicity (and it helps my memory) - but this is not obligatory from the IP perspective.

Regards,
D'Essen