Hi I been fiddling with this for weeks now.Cant seem to sort it out.I had some Trojans on here.Apperantly fixed them all.But now I have serious issue with configuring the firewall and network.I will give details as follows.
I have a dlink router DI-704UP. I have a the router connected to a motorola surfboard SB5101i.
I have it set on dhcp. My pc’s ip adress is 192.168.0.114. The routers ip adress is 192.168.0.1.
When I boot up pc with no network zones it detects new network.
New Private Network Detected! (my ip assigned by dhcp of router)192.168.0.114/255.255.255.0 (subnet mask)
Ok so thats ok my pc and subnet mask.Then it pops up this.
New Private Network Detected! 169.254.206.4/255.255.0.0
I disallow this and obviously im here on the internet right?
Why would there be 2?
Those 2 ip’s have no association with any equipment I have connected here.
Last week I had some strange things going on.With svchost.exe in the firewall showing it connecting to these ips and downloading large amounts of data when I didn’t even have anything running.No auto update blah blah I have all that turned off I have UPNP off BITS off no MS annoyance junk on only basic services running.
All the ip’s keep tracing to level3 communications.
Because I left pc on without turning off the internet it used up the rest of my data allowance in 24 hours.
2 gb.From these ip’s connecting and downloading data like 16mb and increasing.
Ive seen a few reports of this on here but no one seems to answer what these ip’s are and what they are doing.
I have scanned this thing from top to bottom with about 30 different things.
IP address: 169.254.206.4
Reverse DNS: [No reverse DNS entry per prisoner.iana.org.]
Reverse DNS authenticity: [Unknown]
ASN: 16559
ASN Name: REALCONNECT-01
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): *U [[Unknown]]
Country Currency: Unknown
Country IP Range: 128.0.0.0 to 255.255.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): – []
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No
What is this ip?I have avg anti spyware avg anti virus spybot S&D malwarebytes anti malware spyware blaster
DHCP gets & assigns the IP address (probably from the router) for you PC. Thus, 192.168.0.114 is immediately over-written with 169.254.206.4 because of the DHCP (this is why CFP detects 2 networks). They are both internal LAN IPs, 169.254.206.4 is not an Internet IP. I believe it’s probably your router that is driving this.
Quick way… drop DHCP in favour static IP addresses (not appropriate in all cases). This way you control what LAN IP a PC has.
Another way… all (most?) routers have some sort of control screen (usually accessed via your browser) in which the DHCP range can defined & limited. Set the router’s DHCP to limit the IPs it dispenses within a predetermined range (eg. 192.168.0.1 - 192.168.0.254). So, this would mean that all your LAN IPs reside on a single sub-net (eg. 192.168.0.x). Then create the appropriate Network Zone & rules within CFP or, once the DHCP has been assigned, run CFPs Stealth Port Wizard, which will detect the Network and create the necessary rules (if required).
If the default LAN IP on the PC (from the LAN card) falls within the same range as above, then all well & good. If it doesn’t, CFP is likely to detect 2 different Networks because of the 2 different IPs it was given. The default IP for the LAN card can be changed, but I think that it is tied to the OS. So, a reinstall (or, perhaps, disabling/enabling the LAN card) might bring this issue back.
I have researched this myself and the address space 169.254.0.0/16 is used when your box is unable to obtain an IP from your DHCP server. Here are a couple links (google for others):
I’m not sure what is causing your router to recognize both networks. I know when I’m travelling, sometimes my notebook has trouble obtaining an IP from the hotel’s DHCP, and CFP will detect a new network in the range 169.254.x.x. Might want to check the first link above on Zero Configuration Networking. That might reveal something…maybe a router setting.
Sorry, perhaps I was not clear. CFP detects 2 networks because, in effect, there are 2 networks (just not at the same time). PC boots, LAN card has default IP (which CFP detects as a network & prompts for if necessary - LAN1). Then DHCP kicks in & the LAN cards IP is reassigned (which, again, CFP detects as a network & prompts for if necessary - LAN2). This is how & why CFP is seeing 2 different Networks (LAN1 & LAN2).
Thanks for reply’s.
Yes in short, XP DCHP and the DLINK DCHP are both assigning to the pc ip’s at the same time.
Ok so ive turned off DCHP on the router and in XP.And set static ip’s.It no longer does the XP or DLINK DCHP.
So now I have it setup ok.
But this hasn’t solved this mysterious connections to system process’s problem.
This is what happens.
I set the process SYSTEM to only allow from my network zone in network security policy.
And totally remove svchost from the rules in there.
ALG & EXPLORER aren’t even in the network security policy.
I go to network security policy and SYSTEM is set to ALLOW ALL.
I didn’t set it.
SVCHOST is there saying ALLOW ALL.I didn’t set it.
Then I have seen random ip’s connecting in comodo firewall view connections.
And in tcpview and in avg antispy.
Connecting to SYSTEM ALG SVCHOST EXPLORER.
What I think this is.
Programs im using on here Paltalk MSN.
They ask for many rights on the pc from the defense.
When I allow them they change these network policies for these process’s.
As for the mysterious level3 communications ip’s I think its the programs im allowing access on the pc.For example microsoft-ds Microsoft download server I see this in tcpview sitting there listening for connections.
The problem begins in the defense section.
If you have wrong process’s under wrong predefined policy then this can allow changes in network policy.But some of the predefined policy’s aren’t always going to make all of these process’s secure enough.
These system process’s cant be allowed complete access because they are exploitable.
If you set them to windows system application or updater application it allows all or most network activity.
It needs more tweaked rules for each because it makes them unsecured.
Im going to leave wireshark running while im away with nothing running to monitor what happens a bit better.But this still needs work.
What OS do you have? What Modes are CFPs Firewall & Defense+ in? The Mode might explain what you’re seeing with regards to SVCHOST. Of course, as you probably know, SVCHOST isn’t only used by Windows Update (WU), it can potentially be used by any Windows Service (that’s its function). If you’re trying to block WU you shouldn’t really be looking at SVCHOST (unless you’re going to restrict certain IPs), it’s just the medium for WU. In general, blocking SVCHOST will break things & that is why CFP usually gives it unfettered access (Allow ALL).
I’m not sure what you mean by connections to ALG & EXPLORER. Can you give more detail?
AFAIK microsoft-ds isn’t MS Download Server, it’s MS Directory Services & it’s used by Windows File Sharing. You should not usually see external connections on this port (445). Since you’re using Wireshark, can you give PCAP examples of these connections?
What processes, specifically, cannot be allow complete access because they are considered exploitable? Also you seem to be switching between CFPs Firewall & Defense+ (in logic terms & pre-defined policies) & inferring a exploitable connection between them. Can you expand on that please.