Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Teredo tunnelling from Microsoft
1,851 views
Skip to first unread message
David Rance
Jul 31, 2014, 4:38:50 AM7/31/14
to
For the last week or so I've been having port scans (the router has
reported scan flooding) from an IP address of 94.245.121.251:3544.
This address resolves to Darren Norman at Microsoft Ltd. Other names in
the whois are Allie Settlemyre and Bharat Ranjan. These all appear to be
genuine names working for Microsoft.
Port 3544 is used for teredo tunnelling (converts IPV6 to IPV4).
Questions:
1. Why are they doing this?
2. Why me?
3. Is anyone else having this attack?
David
--
David Rance writing from Caversham, Reading, UK
reported scan flooding) from an IP address of 94.245.121.251:3544.
This address resolves to Darren Norman at Microsoft Ltd. Other names in
the whois are Allie Settlemyre and Bharat Ranjan. These all appear to be
genuine names working for Microsoft.
Port 3544 is used for teredo tunnelling (converts IPV6 to IPV4).
Questions:
1. Why are they doing this?
2. Why me?
3. Is anyone else having this attack?
David
--
David Rance writing from Caversham, Reading, UK
Tony
Jul 31, 2014, 7:49:15 AM7/31/14
to
David Rance <david...@SPAMOFF.invalid> wrote on Thu, 31 Jul 2014 at
09:38:50:
one from a Sony IP address.
BTW, that IP range is assigned to the UK.
The whois data includes an abuse email contact (probably the first name
you list), so a polite query there might work.
--
Tony
09:38:50:
>For the last week or so I've been having port scans (the router has
>reported scan flooding) from an IP address of 94.245.121.251:3544.
>
>This address resolves to Darren Norman at Microsoft Ltd. Other names in
>the whois are Allie Settlemyre and Bharat Ranjan. These all appear to
>be genuine names working for Microsoft.
>
>Port 3544 is used for teredo tunnelling (converts IPV6 to IPV4).
>
>Questions:
>
>1. Why are they doing this?
>
>2. Why me?
>
>3. Is anyone else having this attack?
3. Not me. The only port 3544 packet I've seen this month was a single
>reported scan flooding) from an IP address of 94.245.121.251:3544.
>
>This address resolves to Darren Norman at Microsoft Ltd. Other names in
>the whois are Allie Settlemyre and Bharat Ranjan. These all appear to
>be genuine names working for Microsoft.
>
>Port 3544 is used for teredo tunnelling (converts IPV6 to IPV4).
>
>Questions:
>
>1. Why are they doing this?
>
>2. Why me?
>
>3. Is anyone else having this attack?
one from a Sony IP address.
BTW, that IP range is assigned to the UK.
The whois data includes an abuse email contact (probably the first name
you list), so a polite query there might work.
--
Tony
David Rance
Jul 31, 2014, 11:51:29 AM7/31/14
to
they continue I'll do as you suggest.
David Rance
Aug 4, 2014, 1:42:16 AM8/4/14
to
On Thu, 31 Jul 2014 12:49:15 Tony wrote:
data that I can complain to.
It's still going on. Happens for two hours at a time. From about 7 a.m.
on weekdays, and evenings at the weekend.
David Rance
Aug 4, 2014, 1:55:41 AM8/4/14
to
won't accept an email from me!
Tony
Aug 4, 2014, 3:54:47 AM8/4/14
to
David Rance <david...@SPAMOFF.invalid> wrote on Mon, 4 Aug 2014 at
06:55:41:
returned?
Try sending your complaint from an outlook.com address?!
--
Tony
06:55:41:
>Eventually found an email address: dan...@microsoft.com. Guess what? It
>won't accept an email from me!
That's the address I spotted earlier. Ouch, what rejection message is
>won't accept an email from me!
returned?
Try sending your complaint from an outlook.com address?!
--
Tony
David Rance
Aug 4, 2014, 5:13:26 AM8/4/14
to
Now I await a response! :-|
David Rance
Aug 5, 2014, 4:10:37 AM8/5/14
to
On Mon, 4 Aug 2014 10:13:26 David Rance wrote:
>On Mon, 4 Aug 2014 08:54:47 Tony wrote:
>
>>David Rance <david...@SPAMOFF.invalid> wrote on Mon, 4 Aug 2014 at
>>06:55:41:
>>>Eventually found an email address: dan...@microsoft.com. Guess what?
>>>It won't accept an email from me!
>>
>>That's the address I spotted earlier. Ouch, what rejection message is
>>returned?
>>
>>Try sending your complaint from an outlook.com address?!
>
>After some errors, it managed to send it.
>
>Now I await a response! :-|
No response and the attacks continue!
>On Mon, 4 Aug 2014 08:54:47 Tony wrote:
>
>>David Rance <david...@SPAMOFF.invalid> wrote on Mon, 4 Aug 2014 at
>>06:55:41:
>>>Eventually found an email address: dan...@microsoft.com. Guess what?
>>>It won't accept an email from me!
>>
>>That's the address I spotted earlier. Ouch, what rejection message is
>>returned?
>>
>>Try sending your complaint from an outlook.com address?!
>
>After some errors, it managed to send it.
>
>Now I await a response! :-|
Simon Clubley
Aug 5, 2014, 7:52:52 AM8/5/14
to
with the right person.
Just be sure to make clear to the Register it's Microsoft themselves
and not just some random Windows box flooding you with junk.
Who knows - you might even get a story out of it.
Contact details:
http://www.theregister.co.uk/about/company/contact/
Simon.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
John Hall
Aug 5, 2014, 11:41:00 AM8/5/14
to
In message <4CK0n6R9...@david.rance.org.uk>, David Rance
<david...@SPAMOFF.invalid> writes
You could try postm...@microsoft.com and/or ab...@microsoft.com. One
would like to think that at least one, if not both, of those addresses
would elicit a response.
--
John Hall Weep not for little Leonie
Abducted by a French Marquis!
Though loss of honour was a wrench
Just think how it's improved her French. Harry Graham (1874-1936)
<david...@SPAMOFF.invalid> writes
would like to think that at least one, if not both, of those addresses
would elicit a response.
--
John Hall Weep not for little Leonie
Abducted by a French Marquis!
Though loss of honour was a wrench
Just think how it's improved her French. Harry Graham (1874-1936)
Wm...
Aug 5, 2014, 3:35:56 PM8/5/14
to
Tue, 5 Aug 2014 09:10:37 <4CK0n6R9...@david.rance.org.uk>
David Rance <david...@SPAMOFF.invalid> wrote...
[monster! attacks!]
>No response and the attacks continue!
I am sure you've thought about this by now but do you have any clue why
it might be you?
Had you been playing with Teredo tunnelling (never heard of it before
this thread) previous to the visitations or anything obvious?
--
Wm...
David Rance <david...@SPAMOFF.invalid> wrote...
[monster! attacks!]
>No response and the attacks continue!
it might be you?
Had you been playing with Teredo tunnelling (never heard of it before
this thread) previous to the visitations or anything obvious?
--
Wm...
David Rance
Aug 6, 2014, 4:21:59 AM8/6/14
to
On Tue, 5 Aug 2014 20:35:56 Wm... wrote:
>Tue, 5 Aug 2014 09:10:37 <4CK0n6R9...@david.rance.org.uk>
>David Rance <david...@SPAMOFF.invalid> wrote...
>
>[monster! attacks!]
>
>>No response and the attacks continue!
>
>I am sure you've thought about this by now but do you have any clue why
>it might be you?
No.
>Tue, 5 Aug 2014 09:10:37 <4CK0n6R9...@david.rance.org.uk>
>David Rance <david...@SPAMOFF.invalid> wrote...
>
>[monster! attacks!]
>
>>No response and the attacks continue!
>
>I am sure you've thought about this by now but do you have any clue why
>it might be you?
>Had you been playing with Teredo tunnelling (never heard of it before
>this thread) previous to the visitations or anything obvious?
either. I had to do a lookup for port 3544 and that's what the article
said it was used for. Teredo tunnelling (according to this article)
enables IPv6 systems to talk to IPv4 systems. It's just a temporary
thing until (at some time in the distant future) all systems have gone
over to IPv6.
It's the port number used by the sending system, and it's scanning my
ports just above and below 60,000.
I'm quite sure that this has nothing to do with it but it started soon
after some Microsoft employees (their UK base is in Reading) started
renting a house opposite ours!!
Anyhow, I've now stopped it by configuring my router to block anything
from that originating address and port number.
David Rance
Aug 6, 2014, 4:24:07 AM8/6/14
to
On Tue, 5 Aug 2014 11:52:52 Simon Clubley wrote:
>On 2014-08-05, David Rance <david...@SPAMOFF.invalid> wrote:
>> On Mon, 4 Aug 2014 10:13:26 David Rance wrote:
>>
>>>On Mon, 4 Aug 2014 08:54:47 Tony wrote:
>>>
>>>>David Rance <david...@SPAMOFF.invalid> wrote on Mon, 4 Aug 2014 at
>>>>06:55:41:
>>>>>Eventually found an email address: dan...@microsoft.com. Guess what?
>>>>>It won't accept an email from me!
>>>>
>>>>That's the address I spotted earlier. Ouch, what rejection message is
>>>>returned?
>>>>
>>>>Try sending your complaint from an outlook.com address?!
>>>
>>>After some errors, it managed to send it.
>>>
>>>Now I await a response! :-|
>>
>> No response and the attacks continue!
>>
>
>Try contacting the Register; they may be able to put you in touch
>with the right person.
>
>Just be sure to make clear to the Register it's Microsoft themselves
>and not just some random Windows box flooding you with junk.
>
>Who knows - you might even get a story out of it.
>
>Contact details:
>
>http://www.theregister.co.uk/about/company/contact/
Thanks for that, Simon. That could well be useful - I hadn't heard of
>On 2014-08-05, David Rance <david...@SPAMOFF.invalid> wrote:
>> On Mon, 4 Aug 2014 10:13:26 David Rance wrote:
>>
>>>On Mon, 4 Aug 2014 08:54:47 Tony wrote:
>>>
>>>>David Rance <david...@SPAMOFF.invalid> wrote on Mon, 4 Aug 2014 at
>>>>06:55:41:
>>>>>Eventually found an email address: dan...@microsoft.com. Guess what?
>>>>>It won't accept an email from me!
>>>>
>>>>That's the address I spotted earlier. Ouch, what rejection message is
>>>>returned?
>>>>
>>>>Try sending your complaint from an outlook.com address?!
>>>
>>>After some errors, it managed to send it.
>>>
>>>Now I await a response! :-|
>>
>> No response and the attacks continue!
>>
>
>Try contacting the Register; they may be able to put you in touch
>with the right person.
>
>Just be sure to make clear to the Register it's Microsoft themselves
>and not just some random Windows box flooding you with junk.
>
>Who knows - you might even get a story out of it.
>
>Contact details:
>
>http://www.theregister.co.uk/about/company/contact/
them.
David Rance
Aug 6, 2014, 4:29:00 AM8/6/14
to
On Tue, 5 Aug 2014 16:41:00 John Hall wrote:
>In message <4CK0n6R9...@david.rance.org.uk>, David Rance
><david...@SPAMOFF.invalid> writes
>>On Mon, 4 Aug 2014 10:13:26 David Rance wrote:
>>
>>>On Mon, 4 Aug 2014 08:54:47 Tony wrote:
>>>
>>>>David Rance <david...@SPAMOFF.invalid> wrote on Mon, 4 Aug 2014
>>>>at 06:55:41:
>>>>>Eventually found an email address: dan...@microsoft.com. Guess
>>>>>what? It won't accept an email from me!
>>>>
>>>>That's the address I spotted earlier. Ouch, what rejection message
>>>>is returned?
>>>>
>>>>Try sending your complaint from an outlook.com address?!
>>>
>>>After some errors, it managed to send it.
>>>
>>>Now I await a response! :-|
>>
>>No response and the attacks continue!
>
>You could try postm...@microsoft.com and/or ab...@microsoft.com. One
>would like to think that at least one, if not both, of those addresses
>would elicit a response.
I'll have to leave it for a month now as I'm going away, which is why
>In message <4CK0n6R9...@david.rance.org.uk>, David Rance
><david...@SPAMOFF.invalid> writes
>>On Mon, 4 Aug 2014 10:13:26 David Rance wrote:
>>
>>>On Mon, 4 Aug 2014 08:54:47 Tony wrote:
>>>
>>>>David Rance <david...@SPAMOFF.invalid> wrote on Mon, 4 Aug 2014
>>>>at 06:55:41:
>>>>>Eventually found an email address: dan...@microsoft.com. Guess
>>>>>what? It won't accept an email from me!
>>>>
>>>>That's the address I spotted earlier. Ouch, what rejection message
>>>>is returned?
>>>>
>>>>Try sending your complaint from an outlook.com address?!
>>>
>>>After some errors, it managed to send it.
>>>
>>>Now I await a response! :-|
>>
>>No response and the attacks continue!
>
>You could try postm...@microsoft.com and/or ab...@microsoft.com. One
>would like to think that at least one, if not both, of those addresses
>would elicit a response.
(as I said to Wm) I've blocked it at the router. However, I'll unblock
it when I get back and see if it's still going on. If it's being
monitored it probably won't be. I suspect it's being done manually as
it's usually for a couple of hours in the morning on weekdays (not
always at exactly the same time) and sometimes in the evening at
weekends.
David Rance
Aug 6, 2014, 5:29:26 AM8/6/14
to
On Wed, 6 Aug 2014 09:21:59 David Rance wrote:
>Anyhow, I've now stopped it by configuring my router to block anything
>from that originating address and port number.
Oh, bog! It didn't work.
>Anyhow, I've now stopped it by configuring my router to block anything
>from that originating address and port number.
Cliff Frisby
Aug 6, 2014, 1:29:58 PM8/6/14
to
David Rance wrote:
> On Tue, 5 Aug 2014 20:35:56 Wm... wrote:
>
>>Tue, 5 Aug 2014 09:10:37 <4CK0n6R9...@david.rance.org.uk>
>>David Rance <david...@SPAMOFF.invalid> wrote...
>>
>>[monster! attacks!]
>>
>>>No response and the attacks continue!
>>
>>I am sure you've thought about this by now but do you have any clue why
>>it might be you?
>
> No.
>
>>Had you been playing with Teredo tunnelling (never heard of it before
>>this thread) previous to the visitations or anything obvious?
>
> No, not at all. In fact I hadn't heard of Teredo tunnelling before this,
> either. I had to do a lookup for port 3544 and that's what the article
> said it was used for. Teredo tunnelling (according to this article)
> enables IPv6 systems to talk to IPv4 systems. It's just a temporary
> thing until (at some time in the distant future) all systems have gone
> over to IPv6.
>
> It's the port number used by the sending system, and it's scanning my
> ports just above and below 60,000.
>
Ah. When you mentioned the port number (3544) in your original post, I
> On Tue, 5 Aug 2014 20:35:56 Wm... wrote:
>
>>Tue, 5 Aug 2014 09:10:37 <4CK0n6R9...@david.rance.org.uk>
>>David Rance <david...@SPAMOFF.invalid> wrote...
>>
>>[monster! attacks!]
>>
>>>No response and the attacks continue!
>>
>>I am sure you've thought about this by now but do you have any clue why
>>it might be you?
>
> No.
>
>>Had you been playing with Teredo tunnelling (never heard of it before
>>this thread) previous to the visitations or anything obvious?
>
> No, not at all. In fact I hadn't heard of Teredo tunnelling before this,
> either. I had to do a lookup for port 3544 and that's what the article
> said it was used for. Teredo tunnelling (according to this article)
> enables IPv6 systems to talk to IPv4 systems. It's just a temporary
> thing until (at some time in the distant future) all systems have gone
> over to IPv6.
>
> It's the port number used by the sending system, and it's scanning my
> ports just above and below 60,000.
>
though it was odd that you had presented it as "94.245.121.251:3544", i.e.
in a way that suggested that 3544 was the source port rather than the
destination port. Nevertheless, I assumed you *must* have meant that these
packets were addressed *to* port 3544 on your host, for it to make sense.
But now you've blown a hole in that assumption. So the packets really are
originating from port 3544, and are addressed to high-numbered
(non-reserved) port numbers at your end.
In normal TCP/IP terms, this suggests very strongly that the Microsoft host
is running a server (possibly Teredo -- I'll take your word on that
association -- not checked myself, nor heard of it before), and that it is
merely responding to a client application running from *your* IP address.
Is that at all possible? Could a device on your LAN be initiating the
traffic?
> I'm quite sure that this has nothing to do with it but it started soon
> after some Microsoft employees (their UK base is in Reading) started
> renting a house opposite ours!!
>
his workplace!
Or perhaps someone else is.
David Rance
Aug 6, 2014, 2:23:46 PM8/6/14
to
>
>> I'm quite sure that this has nothing to do with it but it started soon
>> after some Microsoft employees (their UK base is in Reading) started
>> renting a house opposite ours!!
>>
>
>Perhaps he's utilising your network to (try to) set up a Teredo tunnel to
>his workplace!
>
>Or perhaps someone else is.
Hmmm, I never thought of that. I do have a wi-fi router. I could try
>> I'm quite sure that this has nothing to do with it but it started soon
>> after some Microsoft employees (their UK base is in Reading) started
>> renting a house opposite ours!!
>>
>
>Perhaps he's utilising your network to (try to) set up a Teredo tunnel to
>his workplace!
>
>Or perhaps someone else is.
turning the wi-fi off when I don't need it. Most of my system uses wired
connections.
I have two ADSL lines. One uses a Draytek Vigor router and the other a
Thompson. The Thompson connects to the local network through a local IP
address to the Draytek. These packets are directed towards this IP
address and so I get
94.245.121.251:3544 -> 192.168.??.??:59898 (for instance).
So, if your suggestion is correct, the packets could be coming through a
wi-fi connection on the Vigor and are directed to the Thompson by its
local IP address.
I've checked allocated IP addresses on the Vigor router and there's no
connection there that I don't know about. But would the UDP packets need
to be connected via a DHCP allocated IP to get through?
Cliff Frisby
Aug 6, 2014, 4:51:07 PM8/6/14
to
whatever public IP address is allocated to the 'Draytek' ADSL line.
If the Draytek then forwards such IP packets, on to any non-public address
in your hinterland (whether it be the Thompson router or anything else),
then I can only think of two reasons why that might be:
(1) The Draytek has been configured by some port-forwarding rule to do so.
This seems extemely unlikely as you would probably have made the rule
yourself for some reason, which leaves
(2) The Draytek has seen packets going in the other direction, i.e. *from*
192.168.??.??:59898 *to* 94.245.121.251:3544, and is operating normal NAT
functionality to make itself transparent to host 192.168.??.??
(A third possibility is a variant of (1) by some PnP mechanism. I understand
very, very little about how that works, but it seems no more likely to me
than vanilla (1), unless there is e.g. some gaming device running behind
the Thompson, accessing a Microsoft game server, in which case I would be
less sure.)
> So, if your suggestion is correct, the packets could be coming through a
> wi-fi connection on the Vigor and are directed to the Thompson by its
> local IP address.
>
> I've checked allocated IP addresses on the Vigor router and there's no
> connection there that I don't know about. But would the UDP packets need
> to be connected via a DHCP allocated IP to get through?
through to 192.168.??.?? would be because 192.168.??.?? is where the
corresponding outgoing packets originated from, from the Draytek's p.o.v.
That would be true whether 192.168.??.?? had been dished out by DHCP or is
simple a fixed address.
What you could perhaps do is, rather than blocking the incoming packets
(which I assume you do at the Draytek firewall), try blocking outgoing ones
(anything *to* port 3544, UDP and TCP). See if the incoming ones then
magically disappear.
It'll be interesting to see what the eventual explanation is.
David Rance
Aug 6, 2014, 5:15:13 PM8/6/14
to
>
>> So, if your suggestion is correct, the packets could be coming through a
>> wi-fi connection on the Vigor and are directed to the Thompson by its
>> local IP address.
>>
>> I've checked allocated IP addresses on the Vigor router and there's no
>> connection there that I don't know about. But would the UDP packets need
>> to be connected via a DHCP allocated IP to get through?
>
>I don't think DHCP is relevant. If (2) above is the case, then the routing
>through to 192.168.??.?? would be because 192.168.??.?? is where the
>corresponding outgoing packets originated from, from the Draytek's p.o.v.
>That would be true whether 192.168.??.?? had been dished out by DHCP or is
>simple a fixed address.
Yes, this address to the Thompson is, perforce, a fixed address
>> So, if your suggestion is correct, the packets could be coming through a
>> wi-fi connection on the Vigor and are directed to the Thompson by its
>> local IP address.
>>
>> I've checked allocated IP addresses on the Vigor router and there's no
>> connection there that I don't know about. But would the UDP packets need
>> to be connected via a DHCP allocated IP to get through?
>
>I don't think DHCP is relevant. If (2) above is the case, then the routing
>through to 192.168.??.?? would be because 192.168.??.?? is where the
>corresponding outgoing packets originated from, from the Draytek's p.o.v.
>That would be true whether 192.168.??.?? had been dished out by DHCP or is
>simple a fixed address.
>
>What you could perhaps do is, rather than blocking the incoming packets
>(which I assume you do at the Draytek firewall), try blocking outgoing ones
>(anything *to* port 3544, UDP and TCP). See if the incoming ones then
>magically disappear.
>
>It'll be interesting to see what the eventual explanation is.
Thanks for those thoughts, Cliff. However, as I shall now be away for a
>What you could perhaps do is, rather than blocking the incoming packets
>(which I assume you do at the Draytek firewall), try blocking outgoing ones
>(anything *to* port 3544, UDP and TCP). See if the incoming ones then
>magically disappear.
>
>It'll be interesting to see what the eventual explanation is.
month I won't be able to do experimenting, but I will block any outgoing
packets to port 3544. Maybe, by the time I return, it will have stopped.
David Rance
Aug 7, 2014, 3:00:58 PM8/7/14
to
In message <mstTc7qh...@david.rance.org.uk>, David Rance
<david...@SPAMOFF.invalid> writes
Before I left home I turned the wi-fi on the router off and blocked
outgoing packets to port 3544. Neither made any difference because I see
that the packets are coming in again this evening. That's now twice a
day!
Just for the record, this is what the router is reporting to me:
2014/08/07 19:43:50 -- [DOS][Block][port_scan]
[94.245.121.251:3544->192.168.???.???:32956][UDP]
[HLen=20, TLen=137]
where 192.168.???.??? is the fixed IP address for my two routers to
communicate with each other
David
--
David Rance writing from Le Mesnil Villement, Calvados, France
<david...@SPAMOFF.invalid> writes
outgoing packets to port 3544. Neither made any difference because I see
that the packets are coming in again this evening. That's now twice a
day!
Just for the record, this is what the router is reporting to me:
2014/08/07 19:43:50 -- [DOS][Block][port_scan]
[94.245.121.251:3544->192.168.???.???:32956][UDP]
[HLen=20, TLen=137]
where 192.168.???.??? is the fixed IP address for my two routers to
communicate with each other
David
--
David Rance writing from Le Mesnil Villement, Calvados, France
Cliff Frisby
Aug 7, 2014, 4:55:56 PM8/7/14
to
David Rance wrote:
<snipped>
> Before I left home I turned the wi-fi on the router off and blocked
> outgoing packets to port 3544. Neither made any difference because I see
> that the packets are coming in again this evening. That's now twice a
> day!
>
> Just for the record, this is what the router is reporting to me:
>
> 2014/08/07 19:43:50 -- [DOS][Block][port_scan]
> [94.245.121.251:3544->192.168.???.???:32956][UDP]
> [HLen=20, TLen=137]
Correct me is I've misunderstood, but that's the Thompson router reporting
it, n'est-ce pas?
>
> where 192.168.???.??? is the fixed IP address for my two routers to
> communicate with each other
B-b-but, that address 192.168.???.??? wouldn't be present in the IP headers
of the packets received by the Draytek router on it's WAN interface, so why
would the Draytek, having received those packets, unsolicited (if such they
are), choose to then address-translate and forward them to 192.168.???.???
in particular. It's baffling. The impossibility of it is a side-effect of
NAT that many users find quite comforting!
If you're not doing the outgoing block on destination port 3544, that's
where I would try doing it.
But actually, I think I would additionally block *anything* outbound to
94.245.121.251 (at the Draytek). I suspect that something on your network
is a willing participant in trying to set up a Teredo tunnel, or whatever
it is. I just can't see how those incoming packets could otherwise traverse
though your Draytek NAT router.
In your position, being as you are at a remote location, I would be tempted
to send off a few of these packets home (yours, not mine) myself, to see if
they get treated in exactly the same way regardless of the source address.
And finally, here's an interesting thing. I was just educating myself about
Teredo on Pikiwedia, and noticed the list of six public Teredo servers (the
intermediaries that putative Teredo peers sitting behind NAT routers are
supposed to use to subsequently establish their direct peer-to-peer
tunnels). One of those six is run by Microsoft, and its IP address resolves
to 94.245.121.253, which is different to, but incredibly close to,
your 'friend'. (And it, also, does not have a reverse DNS entry.)
That certainly suggests that the 'Teredo' angle is not a red herring. It
also suggests that 94.245.121.251 is not the intended peer for the tunnel.
It would be rather interesting to know what is, though.
For me, the key question is my first one: why are those incoming packets
traversing the Draytek, if they are unsolicited.
<snipped>
> Before I left home I turned the wi-fi on the router off and blocked
> outgoing packets to port 3544. Neither made any difference because I see
> that the packets are coming in again this evening. That's now twice a
> day!
>
> Just for the record, this is what the router is reporting to me:
>
> 2014/08/07 19:43:50 -- [DOS][Block][port_scan]
> [94.245.121.251:3544->192.168.???.???:32956][UDP]
> [HLen=20, TLen=137]
it, n'est-ce pas?
>
> where 192.168.???.??? is the fixed IP address for my two routers to
> communicate with each other
of the packets received by the Draytek router on it's WAN interface, so why
would the Draytek, having received those packets, unsolicited (if such they
are), choose to then address-translate and forward them to 192.168.???.???
in particular. It's baffling. The impossibility of it is a side-effect of
NAT that many users find quite comforting!
If you're not doing the outgoing block on destination port 3544, that's
where I would try doing it.
But actually, I think I would additionally block *anything* outbound to
94.245.121.251 (at the Draytek). I suspect that something on your network
is a willing participant in trying to set up a Teredo tunnel, or whatever
it is. I just can't see how those incoming packets could otherwise traverse
though your Draytek NAT router.
In your position, being as you are at a remote location, I would be tempted
to send off a few of these packets home (yours, not mine) myself, to see if
they get treated in exactly the same way regardless of the source address.
And finally, here's an interesting thing. I was just educating myself about
Teredo on Pikiwedia, and noticed the list of six public Teredo servers (the
intermediaries that putative Teredo peers sitting behind NAT routers are
supposed to use to subsequently establish their direct peer-to-peer
tunnels). One of those six is run by Microsoft, and its IP address resolves
to 94.245.121.253, which is different to, but incredibly close to,
your 'friend'. (And it, also, does not have a reverse DNS entry.)
That certainly suggests that the 'Teredo' angle is not a red herring. It
also suggests that 94.245.121.251 is not the intended peer for the tunnel.
It would be rather interesting to know what is, though.
For me, the key question is my first one: why are those incoming packets
traversing the Draytek, if they are unsolicited.
Cliff Frisby
Aug 7, 2014, 4:58:12 PM8/7/14
to
I meant to say
> If you're not already doing the outgoing block on destination port 3544 in
the Draytek, that's
> If you're not already doing the outgoing block on destination port 3544 in
the Draytek, that's
David Rance
Aug 8, 2014, 3:54:55 AM8/8/14
to
In message <dEREv.46563$Fg7....@fx23.fr7>, Cliff Frisby
<spam...@scarpia.demon.co.uk> writes
report DOS attacks (or anything else).
on it. No other traffic has ever been redirected from the Draytek WAN
through to the Thompson. How would they have known about it? I use two
different ISPs for the two ADSL lines, thinking that, eventually, I
would ditch the Demon one so that I could cancel the other one. The
reason I haven't is that the line speed on the Thompson, which is also
my voice line, is not nearly as good as the other one. The Draytek line
was originally a bulletin board line.
If I were to switch the Thompson off, I suppose it would all stop.
>The impossibility of it is a side-effect of
>NAT that many users find quite comforting!
>
>If you're not doing the outgoing block on destination port 3544, that's
>where I would try doing it.
>
>But actually, I think I would additionally block *anything* outbound to
>94.245.121.251 (at the Draytek). I suspect that something on your network
>is a willing participant in trying to set up a Teredo tunnel, or whatever
>it is. I just can't see how those incoming packets could otherwise traverse
>though your Draytek NAT router.
>
>In your position, being as you are at a remote location, I would be tempted
>to send off a few of these packets home (yours, not mine) myself, to see if
>they get treated in exactly the same way regardless of the source address.
>
>And finally, here's an interesting thing. I was just educating myself about
>Teredo on Pikiwedia, and noticed the list of six public Teredo servers (the
>intermediaries that putative Teredo peers sitting behind NAT routers are
>supposed to use to subsequently establish their direct peer-to-peer
>tunnels). One of those six is run by Microsoft, and its IP address resolves
>to 94.245.121.253, which is different to, but incredibly close to,
>your 'friend'. (And it, also, does not have a reverse DNS entry.)
And 94.245.121.251 is also registered to Microsoft. Well, I suppose it
would be as they would have the whole block. Is someone at Microsoft
unofficially trying to set up a Teredo tunnel on my machine for the sake
of experimentation, I wonder? No, I'm just floundering.
it.
Incidentally, yesterday evening I had a concentrated bombardment of
these packets, as well as some in the morning. It's almost as though
whoever it is is reading me and knows I've gone away!
Paranoid? Me? Ha, ha!
<spam...@scarpia.demon.co.uk> writes
>David Rance wrote:
>
><snipped>
>
>> Before I left home I turned the wi-fi on the router off and blocked
>> outgoing packets to port 3544. Neither made any difference because I see
>> that the packets are coming in again this evening. That's now twice a
>> day!
>>
>> Just for the record, this is what the router is reporting to me:
>>
>> 2014/08/07 19:43:50 -- [DOS][Block][port_scan]
>> [94.245.121.251:3544->192.168.???.???:32956][UDP]
>> [HLen=20, TLen=137]
>
>Correct me is I've misunderstood, but that's the Thompson router reporting
>it, n'est-ce pas?
It looks as though it should be but the Thompson isn't configured to
>
><snipped>
>
>> Before I left home I turned the wi-fi on the router off and blocked
>> outgoing packets to port 3544. Neither made any difference because I see
>> that the packets are coming in again this evening. That's now twice a
>> day!
>>
>> Just for the record, this is what the router is reporting to me:
>>
>> 2014/08/07 19:43:50 -- [DOS][Block][port_scan]
>> [94.245.121.251:3544->192.168.???.???:32956][UDP]
>> [HLen=20, TLen=137]
>
>Correct me is I've misunderstood, but that's the Thompson router reporting
>it, n'est-ce pas?
report DOS attacks (or anything else).
>
>>
>> where 192.168.???.??? is the fixed IP address for my two routers to
>> communicate with each other
>
>B-b-but, that address 192.168.???.??? wouldn't be present in the IP headers
>of the packets received by the Draytek router on it's WAN interface, so why
>would the Draytek, having received those packets, unsolicited (if such they
>are), choose to then address-translate and forward them to 192.168.???.???
>in particular. It's baffling.
It certainly is. That's why I wondered if anyone here could shed light
>>
>> where 192.168.???.??? is the fixed IP address for my two routers to
>> communicate with each other
>
>B-b-but, that address 192.168.???.??? wouldn't be present in the IP headers
>of the packets received by the Draytek router on it's WAN interface, so why
>would the Draytek, having received those packets, unsolicited (if such they
>are), choose to then address-translate and forward them to 192.168.???.???
>in particular. It's baffling.
on it. No other traffic has ever been redirected from the Draytek WAN
through to the Thompson. How would they have known about it? I use two
different ISPs for the two ADSL lines, thinking that, eventually, I
would ditch the Demon one so that I could cancel the other one. The
reason I haven't is that the line speed on the Thompson, which is also
my voice line, is not nearly as good as the other one. The Draytek line
was originally a bulletin board line.
If I were to switch the Thompson off, I suppose it would all stop.
>The impossibility of it is a side-effect of
>NAT that many users find quite comforting!
>
>If you're not doing the outgoing block on destination port 3544, that's
>where I would try doing it.
>
>But actually, I think I would additionally block *anything* outbound to
>94.245.121.251 (at the Draytek). I suspect that something on your network
>is a willing participant in trying to set up a Teredo tunnel, or whatever
>it is. I just can't see how those incoming packets could otherwise traverse
>though your Draytek NAT router.
>
>In your position, being as you are at a remote location, I would be tempted
>to send off a few of these packets home (yours, not mine) myself, to see if
>they get treated in exactly the same way regardless of the source address.
>
>And finally, here's an interesting thing. I was just educating myself about
>Teredo on Pikiwedia, and noticed the list of six public Teredo servers (the
>intermediaries that putative Teredo peers sitting behind NAT routers are
>supposed to use to subsequently establish their direct peer-to-peer
>tunnels). One of those six is run by Microsoft, and its IP address resolves
>to 94.245.121.253, which is different to, but incredibly close to,
>your 'friend'. (And it, also, does not have a reverse DNS entry.)
would be as they would have the whole block. Is someone at Microsoft
unofficially trying to set up a Teredo tunnel on my machine for the sake
of experimentation, I wonder? No, I'm just floundering.
>
>That certainly suggests that the 'Teredo' angle is not a red herring. It
>also suggests that 94.245.121.251 is not the intended peer for the tunnel.
>It would be rather interesting to know what is, though.
>
>For me, the key question is my first one: why are those incoming packets
>traversing the Draytek, if they are unsolicited.
Thanks for that info, Cliff. I was beginning to think I was imagining
>That certainly suggests that the 'Teredo' angle is not a red herring. It
>also suggests that 94.245.121.251 is not the intended peer for the tunnel.
>It would be rather interesting to know what is, though.
>
>For me, the key question is my first one: why are those incoming packets
>traversing the Draytek, if they are unsolicited.
it.
Incidentally, yesterday evening I had a concentrated bombardment of
these packets, as well as some in the morning. It's almost as though
whoever it is is reading me and knows I've gone away!
Paranoid? Me? Ha, ha!
Roy Brown
Aug 8, 2014, 6:03:15 AM8/8/14
to
In message <sHlNHMDP...@david-laptop.rance.org.uk>, David Rance
<david...@SPAMOFF.invalid> writing at 08:54:55 in his/her local time
opines:-
I think you have a device that it trying to use IPv6, and it goes off to
the Microsoft server on ....253, and it replies to you on .....251,
trying to fulfil 'your' requests, and the process founders somehow.
You might want to run Zone Alarm, or some similar software firewall, on
any suspect devices, and see if anything is trying to call .....253 or
similar.
Or Wireshark, even.
When you get back, that is.
But if you still get the issue in France, then you've brought it with
you, whatever it is, which should narrow down the search :-).
--
Roy Brown 'Have nothing in your houses that you do not know to be
Kelmscott Ltd useful, or believe to be beautiful' William Morris
<david...@SPAMOFF.invalid> writing at 08:54:55 in his/her local time
opines:-
>In message <dEREv.46563$Fg7....@fx23.fr7>, Cliff Frisby
><spam...@scarpia.demon.co.uk> writes
>>David Rance wrote:
(About Teredo)
><spam...@scarpia.demon.co.uk> writes
>>David Rance wrote:
I think you have a device that it trying to use IPv6, and it goes off to
the Microsoft server on ....253, and it replies to you on .....251,
trying to fulfil 'your' requests, and the process founders somehow.
You might want to run Zone Alarm, or some similar software firewall, on
any suspect devices, and see if anything is trying to call .....253 or
similar.
Or Wireshark, even.
When you get back, that is.
But if you still get the issue in France, then you've brought it with
you, whatever it is, which should narrow down the search :-).
--
Roy Brown 'Have nothing in your houses that you do not know to be
Kelmscott Ltd useful, or believe to be beautiful' William Morris
David Rance
Aug 8, 2014, 7:57:22 AM8/8/14
to
In message <FJWKscvjBK5TFw+J@x.x>, Roy Brown
<Roy_now_fre...@acanthus.demon.co.uk> writes
anywhere that one of the local IP addresses is involved, but I may be
wrong.
Two of my computers are still running in Reading as one of them is a
mail and web server. The other is the repository of my data files.
<Roy_now_fre...@acanthus.demon.co.uk> writes
>In message <sHlNHMDP...@david-laptop.rance.org.uk>, David Rance
><david...@SPAMOFF.invalid> writing at 08:54:55 in his/her local time
>opines:-
>>In message <dEREv.46563$Fg7....@fx23.fr7>, Cliff Frisby
>><spam...@scarpia.demon.co.uk> writes
>>>David Rance wrote:
>
>(About Teredo)
>
>I think you have a device that it trying to use IPv6, and it goes off
>to the Microsoft server on ....253, and it replies to you on .....251,
>trying to fulfil 'your' requests, and the process founders somehow.
Hmm, that sounds plausible.
><david...@SPAMOFF.invalid> writing at 08:54:55 in his/her local time
>opines:-
>>In message <dEREv.46563$Fg7....@fx23.fr7>, Cliff Frisby
>><spam...@scarpia.demon.co.uk> writes
>>>David Rance wrote:
>
>(About Teredo)
>
>I think you have a device that it trying to use IPv6, and it goes off
>to the Microsoft server on ....253, and it replies to you on .....251,
>trying to fulfil 'your' requests, and the process founders somehow.
>
>You might want to run Zone Alarm, or some similar software firewall, on
>any suspect devices, and see if anything is trying to call .....253 or
>similar.
>
>Or Wireshark, even.
>
>When you get back, that is.
>
>But if you still get the issue in France, then you've brought it with
>you, whatever it is, which should narrow down the search :-).
It is, or seems to be, confined to the routers. There's no suggestion
>You might want to run Zone Alarm, or some similar software firewall, on
>any suspect devices, and see if anything is trying to call .....253 or
>similar.
>
>Or Wireshark, even.
>
>When you get back, that is.
>
>But if you still get the issue in France, then you've brought it with
>you, whatever it is, which should narrow down the search :-).
anywhere that one of the local IP addresses is involved, but I may be
wrong.
Two of my computers are still running in Reading as one of them is a
mail and web server. The other is the repository of my data files.
Wm...
Aug 8, 2014, 6:10:33 PM8/8/14
to
Fri, 8 Aug 2014 12:57:22 <0Vurz6Ei...@david-laptop.rance.org.uk>
David Rance <david...@SPAMOFF.invalid> wrote...
>In message <FJWKscvjBK5TFw+J@x.x>, Roy Brown
><Roy_now_fre...@acanthus.demon.co.uk> writes
>>In message <sHlNHMDP...@david-laptop.rance.org.uk>, David Rance
>><david...@SPAMOFF.invalid> writing at 08:54:55 in his/her local
>>time opines:-
>>>In message <dEREv.46563$Fg7....@fx23.fr7>, Cliff Frisby
>>><spam...@scarpia.demon.co.uk> writes
>>>>David Rance wrote:
>>
>>(About Teredo)
>>
>>I think you have a device that it trying to use IPv6, and it goes off
>>to the Microsoft server on ....253, and it replies to you on .....251,
>>trying to fulfil 'your' requests, and the process founders somehow.
>
>Hmm, that sounds plausible.
I'm not convinced about that as the Wiki article says MS likes the
addresses to be very close (i.e. immediate) to each other rather than 2
apart.
Even if Roy's idea was good, it would need to be something inside your 4
address trying to contact a 6 address for this to make sense at all.
Most people don't need the 6 space (I don't and I am guessing most demon
subscribers don't either or they'll have bought something by now).
>>You might want to run Zone Alarm, or some similar software firewall,
>>on any suspect devices, and see if anything is trying to call .....253
>>or similar.
>>
>>Or Wireshark, even.
Ahem, I'm from the school of "wot my router saw" rather than the post
event and thought you were too, general you, me waves at Roy.
>>When you get back, that is.
>>
>>But if you still get the issue in France, then you've brought it with
>>you, whatever it is, which should narrow down the search :-).
>
>It is, or seems to be, confined to the routers. There's no suggestion
>anywhere that one of the local IP addresses is involved, but I may be
>wrong.
Just a curiosity for me now.
>Two of my computers are still running in Reading as one of them is a
>mail and web server. The other is the repository of my data files.
Those don't seem like 6 needy to me.
Happy hols, D
--
Wm...
David Rance <david...@SPAMOFF.invalid> wrote...
>In message <FJWKscvjBK5TFw+J@x.x>, Roy Brown
><Roy_now_fre...@acanthus.demon.co.uk> writes
>>In message <sHlNHMDP...@david-laptop.rance.org.uk>, David Rance
>><david...@SPAMOFF.invalid> writing at 08:54:55 in his/her local
>>time opines:-
>>>In message <dEREv.46563$Fg7....@fx23.fr7>, Cliff Frisby
>>><spam...@scarpia.demon.co.uk> writes
>>>>David Rance wrote:
>>
>>(About Teredo)
>>
>>I think you have a device that it trying to use IPv6, and it goes off
>>to the Microsoft server on ....253, and it replies to you on .....251,
>>trying to fulfil 'your' requests, and the process founders somehow.
>
>Hmm, that sounds plausible.
addresses to be very close (i.e. immediate) to each other rather than 2
apart.
Even if Roy's idea was good, it would need to be something inside your 4
address trying to contact a 6 address for this to make sense at all.
Most people don't need the 6 space (I don't and I am guessing most demon
subscribers don't either or they'll have bought something by now).
>>You might want to run Zone Alarm, or some similar software firewall,
>>on any suspect devices, and see if anything is trying to call .....253
>>or similar.
>>
>>Or Wireshark, even.
event and thought you were too, general you, me waves at Roy.
>>When you get back, that is.
>>
>>But if you still get the issue in France, then you've brought it with
>>you, whatever it is, which should narrow down the search :-).
>
>It is, or seems to be, confined to the routers. There's no suggestion
>anywhere that one of the local IP addresses is involved, but I may be
>wrong.
>Two of my computers are still running in Reading as one of them is a
>mail and web server. The other is the repository of my data files.
Happy hols, D
--
Wm...
Cliff Frisby
Aug 8, 2014, 6:21:37 PM8/8/14
to
David Rance wrote:
> In message <dEREv.46563$Fg7....@fx23.fr7>, Cliff Frisby
> <spam...@scarpia.demon.co.uk> writes
>>David Rance wrote:
>>
>><snipped>
>>
>>> Before I left home I turned the wi-fi on the router off and blocked
>>> outgoing packets to port 3544. Neither made any difference because I see
>>> that the packets are coming in again this evening. That's now twice a
>>> day!
>>>
>>> Just for the record, this is what the router is reporting to me:
>>>
>>> 2014/08/07 19:43:50 -- [DOS][Block][port_scan]
>>> [94.245.121.251:3544->192.168.???.???:32956][UDP]
>>> [HLen=20, TLen=137]
>>
>>Correct me is I've misunderstood, but that's the Thompson router reporting
>>it, n'est-ce pas?
>
> It looks as though it should be but the Thompson isn't configured to
> report DOS attacks (or anything else).
Oh. It was the presence of the "192.168.???.???" in the report that fooled
> In message <dEREv.46563$Fg7....@fx23.fr7>, Cliff Frisby
> <spam...@scarpia.demon.co.uk> writes
>>David Rance wrote:
>>
>><snipped>
>>
>>> Before I left home I turned the wi-fi on the router off and blocked
>>> outgoing packets to port 3544. Neither made any difference because I see
>>> that the packets are coming in again this evening. That's now twice a
>>> day!
>>>
>>> Just for the record, this is what the router is reporting to me:
>>>
>>> 2014/08/07 19:43:50 -- [DOS][Block][port_scan]
>>> [94.245.121.251:3544->192.168.???.???:32956][UDP]
>>> [HLen=20, TLen=137]
>>
>>Correct me is I've misunderstood, but that's the Thompson router reporting
>>it, n'est-ce pas?
>
> It looks as though it should be but the Thompson isn't configured to
> report DOS attacks (or anything else).
me. It just seemed strange to me that the Draytek would apply the NAT
association prior to the blocking, but perhaps it's not so strange.
I might still have the wrong end of the stick regarding your topology. The
notion that your Thompson router has a route to the wider Internet via what
would normally be a LAN connection, in addition to via its normal ADSL
connection, makes my head spin. The corollary that exactly the same can
presumably be said of the Draytek router only serves to increase the
angular velocity.
(which seems highly likely from all the clues), it's job is to facilite
setting up a tunnel between you and some third party, AIUI.
I don't know what Thompson model you have, but a quick Google suggests that
at least some Thompson routers are Teredo-aware, such that (perhaps) they
can transparently provide IPv6 connectivity to local hosts even though the
ISP can only provide IPv4 connectivity.
It seems plausible that Microsoft, in addition to advertising a 'public'
Teredo server, also provides additional servers specifically to support the
manufacturers of smart devices which want to talk IPv6, and perhaps to
router manufacturers!
The fact that your Draytek thinks these Microsoft-Teredo packets, if it were
not blocking them, ought to be NAT'ed back to the internal IP address of
the Thompson router, does suggest strongly that it (the Draytek) already
saw some traffic from the Thompson addressed to the Teredo server. (But
then I wonder why it blocks them! And God only knows why the Thompson would
have sent them via that route in any case.)
I tend to discount the possibility that the packets arrived from the WAN
side with a destination address of 192.168.???.???. I just don't see how
it's possible without the connivance of Demon or BT or whatever. (Having
said that, I do vaguely remember detecting something like that myself
once...)
<snip>
Wm...
Aug 8, 2014, 7:12:48 PM8/8/14
to
Fri, 8 Aug 2014 23:21:37 <x_bFv.53705$5n4....@fx06.fr7>
Cliff Frisby <spam...@scarpia.demon.co.uk> wrote...
>I wouldn't make that inference. If the Microsoft machine is a Teredo server
>(which seems highly likely from all the clues), it's job is to facilite
>setting up a tunnel between you and some third party, AIUI.
>
>I don't know what Thompson model you have, but a quick Google suggests that
>at least some Thompson routers are Teredo-aware, such that (perhaps) they
>can transparently provide IPv6 connectivity to local hosts even though the
>ISP can only provide IPv4 connectivity.
>
>It seems plausible that Microsoft, in addition to advertising a 'public'
>Teredo server, also provides additional servers specifically to support the
>manufacturers of smart devices which want to talk IPv6, and perhaps to
>router manufacturers!
>
>The fact that your Draytek thinks these Microsoft-Teredo packets, if it were
>not blocking them, ought to be NAT'ed back to the internal IP address of
>the Thompson router, does suggest strongly that it (the Draytek) already
>saw some traffic from the Thompson addressed to the Teredo server. (But
>then I wonder why it blocks them! And God only knows why the Thompson would
>have sent them via that route in any case.)
>
>I tend to discount the possibility that the packets arrived from the WAN
>side with a destination address of 192.168.???.???. I just don't see how
>it's possible without the connivance of Demon or BT or whatever. (Having
>said that, I do vaguely remember detecting something like that myself
>once...)
I'm reminded of a pre-talk film actor looking for his loved one and her
response.
It was a good idea at the time.
--
Wm...
Cliff Frisby <spam...@scarpia.demon.co.uk> wrote...
>I wouldn't make that inference. If the Microsoft machine is a Teredo server
>(which seems highly likely from all the clues), it's job is to facilite
>setting up a tunnel between you and some third party, AIUI.
>
>I don't know what Thompson model you have, but a quick Google suggests that
>at least some Thompson routers are Teredo-aware, such that (perhaps) they
>can transparently provide IPv6 connectivity to local hosts even though the
>ISP can only provide IPv4 connectivity.
>
>It seems plausible that Microsoft, in addition to advertising a 'public'
>Teredo server, also provides additional servers specifically to support the
>manufacturers of smart devices which want to talk IPv6, and perhaps to
>router manufacturers!
>
>The fact that your Draytek thinks these Microsoft-Teredo packets, if it were
>not blocking them, ought to be NAT'ed back to the internal IP address of
>the Thompson router, does suggest strongly that it (the Draytek) already
>saw some traffic from the Thompson addressed to the Teredo server. (But
>then I wonder why it blocks them! And God only knows why the Thompson would
>have sent them via that route in any case.)
>
>I tend to discount the possibility that the packets arrived from the WAN
>side with a destination address of 192.168.???.???. I just don't see how
>it's possible without the connivance of Demon or BT or whatever. (Having
>said that, I do vaguely remember detecting something like that myself
>once...)
response.
It was a good idea at the time.
--
Wm...
Jim Crowther
Aug 8, 2014, 7:27:32 PM8/8/14
to
In demon.service, on Fri, 8 Aug 2014 23:21:37, Cliff Frisby wrote:
>I don't know what Thompson model you have, but a quick Google suggests
>that at least some Thompson routers are Teredo-aware, such that
>(perhaps) they can transparently provide IPv6 connectivity to local
>hosts even though the ISP can only provide IPv4 connectivity.
>
>It seems plausible that Microsoft, in addition to advertising a
>'public' Teredo server, also provides additional servers specifically
>to support the manufacturers of smart devices which want to talk IPv6,
>and perhaps to router manufacturers!
The Thompson router I have at home in the UK, although badged as a
>I don't know what Thompson model you have, but a quick Google suggests
>that at least some Thompson routers are Teredo-aware, such that
>(perhaps) they can transparently provide IPv6 connectivity to local
>hosts even though the ISP can only provide IPv4 connectivity.
>
>It seems plausible that Microsoft, in addition to advertising a
>'public' Teredo server, also provides additional servers specifically
>to support the manufacturers of smart devices which want to talk IPv6,
>and perhaps to router manufacturers!
Technicolor TG582n, is fully IPv6 conversant - which is why A&A provide
it as standard. Anything on the network that can talk IPv6 usually does
it as preferential default, and the router gets its (native in my case)
IPv6 address space and passes it on. If used with an ISP such as Demon
which doesn't understand IPv6, then a 6to4 tunnel will be requested.
So it would only take one IPv6 device downstream of the Thompson to
provoke this behaviour. Indeed, the Thompson itself might ask for a
tunnel 'just in case'.
http://en.wikipedia.org/wiki/DHCPv6 etc, etc.
--
Jim Crowther
Cliff Frisby
Aug 9, 2014, 7:15:34 AM8/9/14
to
packets should have their destination address translated to the local
address of the Thompson. Unless we think the Thompson is itself in
turn 'NAT'ing other connected hosts onto that local address (doesn't seem
at all likely), then the fingers seem to point towards the Thompson as the
culprit (albeit DR has blocked any outgoing traffic with destination
port==Teredo, which immediately contradicts the hypothesis).
It seems bizarre, though, that the Thompson would ever try to communicate
with the wider Internet t through the LAN interface, especially as it has a
perfectly good WAN interface (which obviously *isn't* behind a NAT
firewall, rendering Teredo overkill in any case).
There seems to be something very strange happening and I doubt we'll get any
closer to the truth without some more facts.
David Rance
Aug 9, 2014, 11:25:47 AM8/9/14
to
In message <x_bFv.53705$5n4....@fx06.fr7>, Cliff Frisby
I'm pretty sure it's a TG585 but I can't check at the moment. It's one
of the free ones sent out by Demon when you change your contract. It's
wi-fi but that's turned off.
>I tend to discount the possibility that the packets arrived from the WAN
>side with a destination address of 192.168.???.???. I just don't see how
>it's possible without the connivance of Demon or BT or whatever.
No, I can't see that either.
Let me muse for a moment. Supposing a packet comes in from somewhere,
maybe it's from an IP address next to the one which is causing the flood
of packets. Suppose that packet is broadcast to the local network with
an enquiry about Teredo tunnelling (i.e. are you IPV6 compatible?).
Since the Thompson has an IP address on that local network, and if the
Thompson is IPV6 capable, then it would be the only thing on the local
network to be able to respond to an IPV6 query - and does so. That would
explain why the Draytek handles these packets for the Thompson on its
local network address. Thereafter it tries to find a suitable port on
which to communicate, but hasn't done so yet.
I'm not convinced of this scenario myself, but does anyone think it's
possible?
<spam...@scarpia.demon.co.uk> writes
>David Rance wrote:
>
>>>
>>>> Before I left home I turned the wi-fi on the router off and blocked
>>>> outgoing packets to port 3544. Neither made any difference because I see
>>>> that the packets are coming in again this evening. That's now twice a
>>>> day!
>>>>
>>>> Just for the record, this is what the router is reporting to me:
>>>>
>>>> 2014/08/07 19:43:50 -- [DOS][Block][port_scan]
>>>> [94.245.121.251:3544->192.168.???.???:32956][UDP]
>>>> [HLen=20, TLen=137]
>>>
>>>Correct me is I've misunderstood, but that's the Thompson router reporting
>>>it, n'est-ce pas?
>>
>> It looks as though it should be but the Thompson isn't configured to
>> report DOS attacks (or anything else).
>
>Oh. It was the presence of the "192.168.???.???" in the report that fooled
>me. It just seemed strange to me that the Draytek would apply the NAT
>association prior to the blocking, but perhaps it's not so strange.
>
>I might still have the wrong end of the stick regarding your topology. The
>notion that your Thompson router has a route to the wider Internet via what
>would normally be a LAN connection, in addition to via its normal ADSL
>connection, makes my head spin. The corollary that exactly the same can
>presumably be said of the Draytek router only serves to increase the
>angular velocity.
As far as I can see this shouldn't be possible.
>David Rance wrote:
>
>>>
>>>> Before I left home I turned the wi-fi on the router off and blocked
>>>> outgoing packets to port 3544. Neither made any difference because I see
>>>> that the packets are coming in again this evening. That's now twice a
>>>> day!
>>>>
>>>> Just for the record, this is what the router is reporting to me:
>>>>
>>>> 2014/08/07 19:43:50 -- [DOS][Block][port_scan]
>>>> [94.245.121.251:3544->192.168.???.???:32956][UDP]
>>>> [HLen=20, TLen=137]
>>>
>>>Correct me is I've misunderstood, but that's the Thompson router reporting
>>>it, n'est-ce pas?
>>
>> It looks as though it should be but the Thompson isn't configured to
>> report DOS attacks (or anything else).
>
>Oh. It was the presence of the "192.168.???.???" in the report that fooled
>me. It just seemed strange to me that the Draytek would apply the NAT
>association prior to the blocking, but perhaps it's not so strange.
>
>I might still have the wrong end of the stick regarding your topology. The
>notion that your Thompson router has a route to the wider Internet via what
>would normally be a LAN connection, in addition to via its normal ADSL
>connection, makes my head spin. The corollary that exactly the same can
>presumably be said of the Draytek router only serves to increase the
>angular velocity.
of the free ones sent out by Demon when you change your contract. It's
wi-fi but that's turned off.
>
>It seems plausible that Microsoft, in addition to advertising a 'public'
>Teredo server, also provides additional servers specifically to support the
>manufacturers of smart devices which want to talk IPv6, and perhaps to
>router manufacturers!
>
>The fact that your Draytek thinks these Microsoft-Teredo packets, if it were
>not blocking them, ought to be NAT'ed back to the internal IP address of
>the Thompson router, does suggest strongly that it (the Draytek) already
>saw some traffic from the Thompson addressed to the Teredo server. (But
>then I wonder why it blocks them!
It blocks them because of the flood of packets, but see below.
>It seems plausible that Microsoft, in addition to advertising a 'public'
>Teredo server, also provides additional servers specifically to support the
>manufacturers of smart devices which want to talk IPv6, and perhaps to
>router manufacturers!
>
>The fact that your Draytek thinks these Microsoft-Teredo packets, if it were
>not blocking them, ought to be NAT'ed back to the internal IP address of
>the Thompson router, does suggest strongly that it (the Draytek) already
>saw some traffic from the Thompson addressed to the Teredo server. (But
>then I wonder why it blocks them!
>I tend to discount the possibility that the packets arrived from the WAN
>side with a destination address of 192.168.???.???. I just don't see how
>it's possible without the connivance of Demon or BT or whatever.
Let me muse for a moment. Supposing a packet comes in from somewhere,
maybe it's from an IP address next to the one which is causing the flood
of packets. Suppose that packet is broadcast to the local network with
an enquiry about Teredo tunnelling (i.e. are you IPV6 compatible?).
Since the Thompson has an IP address on that local network, and if the
Thompson is IPV6 capable, then it would be the only thing on the local
network to be able to respond to an IPV6 query - and does so. That would
explain why the Draytek handles these packets for the Thompson on its
local network address. Thereafter it tries to find a suitable port on
which to communicate, but hasn't done so yet.
I'm not convinced of this scenario myself, but does anyone think it's
possible?
David Rance
Aug 9, 2014, 12:11:04 PM8/9/14
to
I've discovered this article on Teredo tunnelling:
http://tinyurl.com/plezooe
Didn't realise it was included in Windows since Vista.
And yes, my computers appear to have a Teredo Tunnelling
Pseudo-Interface set up. Presumably the Thompson has a similar thing but
I've no idea whether the Draytek does.
http://tinyurl.com/plezooe
Didn't realise it was included in Windows since Vista.
And yes, my computers appear to have a Teredo Tunnelling
Pseudo-Interface set up. Presumably the Thompson has a similar thing but
I've no idea whether the Draytek does.
Nix
Aug 11, 2014, 4:32:57 PM8/11/14
to
On 9 Aug 2014, Jim Crowther outgrape:
system new enough to have security support. Also MacOS X, Linux... you
name it, it's IPv6-ready by now.
--
NULL && (void)
> The Thompson router I have at home in the UK, although badged as a
> Technicolor TG582n, is fully IPv6 conversant - which is why A&A
> provide it as standard. Anything on the network that can talk IPv6
> usually does it as preferential default, and the router gets its
> (native in my case) IPv6 address space and passes it on. If used with
> an ISP such as Demon which doesn't understand IPv6, then a 6to4 tunnel
> will be requested.
>
> So it would only take one IPv6 device downstream of the Thompson to
> provoke this behaviour.
That would include any Windows box newer than XP -- i.e., any Windows
> Technicolor TG582n, is fully IPv6 conversant - which is why A&A
> provide it as standard. Anything on the network that can talk IPv6
> usually does it as preferential default, and the router gets its
> (native in my case) IPv6 address space and passes it on. If used with
> an ISP such as Demon which doesn't understand IPv6, then a 6to4 tunnel
> will be requested.
>
> So it would only take one IPv6 device downstream of the Thompson to
> provoke this behaviour.
system new enough to have security support. Also MacOS X, Linux... you
name it, it's IPv6-ready by now.
--
NULL && (void)
Wm...
Aug 11, 2014, 5:05:48 PM8/11/14
to
Mon, 11 Aug 2014 21:32:57 <877g2ed...@spindle.srvr.nix>
Nix <nix-ra...@esperi.org.uk> wrote...
>On 9 Aug 2014, Jim Crowther outgrape:
>> The Thompson router I have at home in the UK, although badged as a
>> Technicolor TG582n, is fully IPv6 conversant - which is why A&A
>> provide it as standard. Anything on the network that can talk IPv6
>> usually does it as preferential default, and the router gets its
>> (native in my case) IPv6 address space and passes it on. If used with
>> an ISP such as Demon which doesn't understand IPv6, then a 6to4 tunnel
>> will be requested.
>>
>> So it would only take one IPv6 device downstream of the Thompson to
>> provoke this behaviour.
>
>That would include any Windows box newer than XP -- i.e., any Windows
>system new enough to have security support.
Only if on, surely? I have XP and it is off.
> Also MacOS X, Linux... you
>name it, it's IPv6-ready by now.
Yeah, but, the incoming is new, surely?
It is possibly a reflected outgoing but the addresses are specific.
--
Wm...
Nix <nix-ra...@esperi.org.uk> wrote...
>On 9 Aug 2014, Jim Crowther outgrape:
>> The Thompson router I have at home in the UK, although badged as a
>> Technicolor TG582n, is fully IPv6 conversant - which is why A&A
>> provide it as standard. Anything on the network that can talk IPv6
>> usually does it as preferential default, and the router gets its
>> (native in my case) IPv6 address space and passes it on. If used with
>> an ISP such as Demon which doesn't understand IPv6, then a 6to4 tunnel
>> will be requested.
>>
>> So it would only take one IPv6 device downstream of the Thompson to
>> provoke this behaviour.
>
>That would include any Windows box newer than XP -- i.e., any Windows
>system new enough to have security support.
> Also MacOS X, Linux... you
>name it, it's IPv6-ready by now.
It is possibly a reflected outgoing but the addresses are specific.
--
Wm...
David Rance
Aug 12, 2014, 2:42:19 AM8/12/14
to
I haven't had an attack for five days now. I don't know whether it
stopped of its own accord or whether it was due to a tweak I made to the
firewall of the Draytek.
I suppose I could untweak it ....
stopped of its own accord or whether it was due to a tweak I made to the
firewall of the Draytek.
I suppose I could untweak it ....
Wm...
Aug 14, 2014, 12:55:35 PM8/14/14
to
Tue, 12 Aug 2014 07:42:19 <vUX9jQCL...@david-laptop.rance.org.uk>
David Rance <david...@SPAMOFF.invalid> wrote...
>I haven't had an attack for five days now. I don't know whether it
>stopped of its own accord or whether it was due to a tweak I made to
>the firewall of the Draytek.
>
>I suppose I could untweak it ....
If you turned something off or on that wasn't more general I expect it
is that unless it was weirdly internal.
All:
Are we concluding this is a router specific thing or a bit of DavidR's
Win trying to escape to the world at large?
--
Wm...
David Rance <david...@SPAMOFF.invalid> wrote...
>I haven't had an attack for five days now. I don't know whether it
>stopped of its own accord or whether it was due to a tweak I made to
>the firewall of the Draytek.
>
>I suppose I could untweak it ....
is that unless it was weirdly internal.
All:
Are we concluding this is a router specific thing or a bit of DavidR's
Win trying to escape to the world at large?
--
Wm...
David Rance
Aug 15, 2014, 11:52:51 AM8/15/14
to
In message <SO1nyrFH...@tarrcity.demon.co.uk>, Wm...
<tcn...@tarrcity.demon.co.uk> writes
>Tue, 12 Aug 2014 07:42:19 <vUX9jQCL...@david-laptop.rance.org.uk>
>David Rance <david...@SPAMOFF.invalid> wrote...
>
>>I haven't had an attack for five days now. I don't know whether it
>>stopped of its own accord or whether it was due to a tweak I made to
>>the firewall of the Draytek.
>>
>>I suppose I could untweak it ....
>
>If you turned something off or on that wasn't more general I expect it
>is that unless it was weirdly internal.
Well, I've continued to experiment from remote and am getting strange
results.
I put a block in the firewall thus:
From any IP to any IP:3544 (this was to prevent the Draytek from sending
anything to port 3544). It worked! No more packets.
A day or so later I removed it. Result: a flood of the aforementioned
packets.
So I put it back in. Result: no more of the packets
A conclusive result you might think. But no!
Yesterday, I got two lots:
2014/08/14 15:08:16 -- [DOS][Block][udp_RP_flood,
timeout=10][157.56.106.189:3544->192.168.???.???:60536][UDP][HLen=20,
TLen=137]
and
2014/08/14 15:08:24 -- [DOS][Block][udp_RP_flood,
timeout=10][94.245.121.253:3544->192.168.???.???:56649][UDP][HLen=20,
TLen=137]
This last is from 94.245.121.253 - that's the IP that Cliff mentioned!
The first one also belongs to Microsoft.
>All:
>
>Are we concluding this is a router specific thing or a bit of DavidR's
>Win trying to escape to the world at large?
Well, I think your last comment might have something in it because I got
a whole lot of this yesterday, too:
014/08/14 15:08:26 -- [DOS][Block][udp_RP_flood,
timeout=10][208.67.220.220:53->192.168.???.???:54098][UDP][HLen=20,
TLen=171]
208.67.220.220 is the DNS server that I use (OpenDNS) and port 53 is a
DNS port (as one would expect). So what on earth is the DNS server doing
trying to communicate with the Thompson router via the Draytek????
I've had this setup running now for five years. While I often get DOS
attacks, I've never had anything like this before!
<tcn...@tarrcity.demon.co.uk> writes
>Tue, 12 Aug 2014 07:42:19 <vUX9jQCL...@david-laptop.rance.org.uk>
>David Rance <david...@SPAMOFF.invalid> wrote...
>
>>I haven't had an attack for five days now. I don't know whether it
>>stopped of its own accord or whether it was due to a tweak I made to
>>the firewall of the Draytek.
>>
>>I suppose I could untweak it ....
>
>If you turned something off or on that wasn't more general I expect it
>is that unless it was weirdly internal.
results.
I put a block in the firewall thus:
From any IP to any IP:3544 (this was to prevent the Draytek from sending
anything to port 3544). It worked! No more packets.
A day or so later I removed it. Result: a flood of the aforementioned
packets.
So I put it back in. Result: no more of the packets
A conclusive result you might think. But no!
Yesterday, I got two lots:
2014/08/14 15:08:16 -- [DOS][Block][udp_RP_flood,
timeout=10][157.56.106.189:3544->192.168.???.???:60536][UDP][HLen=20,
TLen=137]
and
2014/08/14 15:08:24 -- [DOS][Block][udp_RP_flood,
timeout=10][94.245.121.253:3544->192.168.???.???:56649][UDP][HLen=20,
TLen=137]
This last is from 94.245.121.253 - that's the IP that Cliff mentioned!
The first one also belongs to Microsoft.
>All:
>
>Are we concluding this is a router specific thing or a bit of DavidR's
>Win trying to escape to the world at large?
a whole lot of this yesterday, too:
014/08/14 15:08:26 -- [DOS][Block][udp_RP_flood,
timeout=10][208.67.220.220:53->192.168.???.???:54098][UDP][HLen=20,
TLen=171]
208.67.220.220 is the DNS server that I use (OpenDNS) and port 53 is a
DNS port (as one would expect). So what on earth is the DNS server doing
trying to communicate with the Thompson router via the Draytek????
I've had this setup running now for five years. While I often get DOS
attacks, I've never had anything like this before!
Andy
Aug 15, 2014, 2:31:09 PM8/15/14
to
In message <6sA4d9FT...@david-laptop.rance.org.uk>, David Rance
<david...@SPAMOFF.invalid> wrote
[]
software of their router?
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>
<david...@SPAMOFF.invalid> wrote
[]
>
>I've had this setup running now for five years. While I often get DOS
>attacks, I've never had anything like this before!
>
Wild idea... could Thompson or Draytek have remotely updated the
>I've had this setup running now for five years. While I often get DOS
>attacks, I've never had anything like this before!
>
software of their router?
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>
David Rance
Aug 15, 2014, 3:05:11 PM8/15/14
to
In message <Q+x3lvIt...@kitzbuhel.demon.co.uk>, Andy
<an...@kitzbuhel.demon.co.uk> writes
ago. The Thompson was a free offering from Demon. The Draytek I bought
independently.
<an...@kitzbuhel.demon.co.uk> writes
>In message <6sA4d9FT...@david-laptop.rance.org.uk>, David Rance
><david...@SPAMOFF.invalid> wrote
>[]
>>
>>I've had this setup running now for five years. While I often get DOS
>>attacks, I've never had anything like this before!
>>
>Wild idea... could Thompson or Draytek have remotely updated the
>software of their router?
Dunno about Thompson, but I did update the Draytek firmware a few months
><david...@SPAMOFF.invalid> wrote
>[]
>>
>>I've had this setup running now for five years. While I often get DOS
>>attacks, I've never had anything like this before!
>>
>Wild idea... could Thompson or Draytek have remotely updated the
>software of their router?
ago. The Thompson was a free offering from Demon. The Draytek I bought
independently.
David Rance
Sep 12, 2014, 5:11:38 AM9/12/14
to
Well, I've been back a week and the problem still exists. I've examined
all the possible culprits: Draytek and Thomson routers, and two
computers running Windows 8. One is used as a mail server and the other
I call my work computer.
I'm getting only an occasional flood to a Teredo port now, but I'm
getting a constant flood of packets to the OpenDNS server whenever I use
Firefox on my work computer. If I use Firefox on my server computer
there is no problem.
You may remember that, if the Thomson computer (which is seen as
192.168.???.??? by the Draytek computer on its WAN2 interface) is
plugged in to the Draytek, then the DNS packets are routed to the
Thomson at the above address. Presumably this is "load sharing". If the
Thomson isn't plugged in to the Draytek then it tries to send the DNS
packets to the WAN address for the Draytek, i.e. it tries to send them
to itself!
Coupled with this, every 24 hours or so, Firefox starts up on its own
and displays a page from a spurious address which advertises updates to
Windows 8.1 (among other things). I've googled for this problem and
found that others have had a similar problem but I haven't yet had time
to go into it further.
Reluctantly I think I'm going to have to admit that my work computer has
some kind of infection and now I have to decide how to deal with it. How
humiliating! This is the first time in twenty-five years that this has
happened to me. What did I click on to invite this malware into my
system???
To cap it all, just so that I could protect my Draytek from
interference, I changed the password while in was in France. I checked
that it worked after I'd changed it. Now another humiliating confession.
I just haven't clue what that password is!!!!
David
--
David Rance writing from Caversham, Reading, UK
all the possible culprits: Draytek and Thomson routers, and two
computers running Windows 8. One is used as a mail server and the other
I call my work computer.
I'm getting only an occasional flood to a Teredo port now, but I'm
getting a constant flood of packets to the OpenDNS server whenever I use
Firefox on my work computer. If I use Firefox on my server computer
there is no problem.
You may remember that, if the Thomson computer (which is seen as
192.168.???.??? by the Draytek computer on its WAN2 interface) is
plugged in to the Draytek, then the DNS packets are routed to the
Thomson at the above address. Presumably this is "load sharing". If the
Thomson isn't plugged in to the Draytek then it tries to send the DNS
packets to the WAN address for the Draytek, i.e. it tries to send them
to itself!
Coupled with this, every 24 hours or so, Firefox starts up on its own
and displays a page from a spurious address which advertises updates to
Windows 8.1 (among other things). I've googled for this problem and
found that others have had a similar problem but I haven't yet had time
to go into it further.
Reluctantly I think I'm going to have to admit that my work computer has
some kind of infection and now I have to decide how to deal with it. How
humiliating! This is the first time in twenty-five years that this has
happened to me. What did I click on to invite this malware into my
system???
To cap it all, just so that I could protect my Draytek from
interference, I changed the password while in was in France. I checked
that it worked after I'd changed it. Now another humiliating confession.
I just haven't clue what that password is!!!!
David
--
David Rance writing from Caversham, Reading, UK
J. P. Gilliver (John)
Sep 13, 2014, 7:25:53 AM9/13/14
to
In message <TY7exOxK...@david.rance.org.uk>, David Rance
<david...@SPAMOFF.invalid> writes:
[]
(I've snipped the rest as I can't help there.) "Firefox starting up on
its own" just means - assuming it's the default browser on the machine
involved - that something is opening a web link. Sorry if you knew that
- I just mean that it isn't Firefox that's at fault. (Much like
rundll.exe - I think that's the name - is often the apparently culprit
process when you look at Task Manager to see what's eating CPU time;
rundll just gets _called_ to, er, run DLLs.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf
No sense being pessimistic. It wouldn't work anyway.
- Penny Mayes, UMRA, 2014-August
<david...@SPAMOFF.invalid> writes:
[]
>Coupled with this, every 24 hours or so, Firefox starts up on its own
>and displays a page from a spurious address which advertises updates to
>Windows 8.1 (among other things). I've googled for this problem and
>found that others have had a similar problem but I haven't yet had time
>to go into it further.
[]
>and displays a page from a spurious address which advertises updates to
>Windows 8.1 (among other things). I've googled for this problem and
>found that others have had a similar problem but I haven't yet had time
>to go into it further.
(I've snipped the rest as I can't help there.) "Firefox starting up on
its own" just means - assuming it's the default browser on the machine
involved - that something is opening a web link. Sorry if you knew that
- I just mean that it isn't Firefox that's at fault. (Much like
rundll.exe - I think that's the name - is often the apparently culprit
process when you look at Task Manager to see what's eating CPU time;
rundll just gets _called_ to, er, run DLLs.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf
No sense being pessimistic. It wouldn't work anyway.
- Penny Mayes, UMRA, 2014-August
David Rance
Sep 13, 2014, 1:06:55 PM9/13/14
to
On Sat, 13 Sep 2014 12:25:53 J. P. Gilliver (John) wrote:
>In message <TY7exOxK...@david.rance.org.uk>, David Rance
><david...@SPAMOFF.invalid> writes:
>[]
>>Coupled with this, every 24 hours or so, Firefox starts up on its own
>>and displays a page from a spurious address which advertises updates
>>to Windows 8.1 (among other things). I've googled for this problem and
>>found that others have had a similar problem but I haven't yet had
>>time to go into it further.
>[]
>(I've snipped the rest as I can't help there.) "Firefox starting up on
>its own" just means - assuming it's the default browser on the machine
>involved - that something is opening a web link. Sorry if you knew that
>- I just mean that it isn't Firefox that's at fault. (Much like
>rundll.exe - I think that's the name - is often the apparently culprit
>process when you look at Task Manager to see what's eating CPU time;
>rundll just gets _called_ to, er, run DLLs.)
Firefox (yes, it is the default browser) usually loads a couple of pages
>In message <TY7exOxK...@david.rance.org.uk>, David Rance
><david...@SPAMOFF.invalid> writes:
>[]
>>Coupled with this, every 24 hours or so, Firefox starts up on its own
>>and displays a page from a spurious address which advertises updates
>>to Windows 8.1 (among other things). I've googled for this problem and
>>found that others have had a similar problem but I haven't yet had
>>time to go into it further.
>[]
>(I've snipped the rest as I can't help there.) "Firefox starting up on
>its own" just means - assuming it's the default browser on the machine
>involved - that something is opening a web link. Sorry if you knew that
>- I just mean that it isn't Firefox that's at fault. (Much like
>rundll.exe - I think that's the name - is often the apparently culprit
>process when you look at Task Manager to see what's eating CPU time;
>rundll just gets _called_ to, er, run DLLs.)
about once a day (but not every day). Today's pages were reimageplus.com
which advertises a rather genuine looking Microsoft repair page (but
obviously isn't because the URL isn't microsoft.com). The other page was
lpmxp1088.com.
Googling for these suggests that they may be genuine or they may be
malware, or pointing to malware. As long as I don't click on them I
don't think they'll infect the computer. But I just wish that I could
stop such pages from appearing daily.
I'm wondering if this is related to the Teredo and DNS flooding that's
going on. They started at about the same time.
Martin Brown
Sep 15, 2014, 6:52:54 AM9/15/14
to
On 13/09/2014 18:06, David Rance wrote:> On Sat, 13 Sep 2014 12:25:53 J.
on the machine that is spontaneously firing up Firefox.
I'd be inclined to run a deep AV scan with its own AV product and then
something like Malwarebytes downloaded by another trusted machine.
--
Regards,
Martin Brown
P. Gilliver (John) wrote:
>
>> In message <TY7exOxK...@david.rance.org.uk>, David Rance
>> <david...@SPAMOFF.invalid> writes:
>> []
>>> Coupled with this, every 24 hours or so, Firefox starts up on its own
>>> and displays a page from a spurious address which advertises updates
>>> to Windows 8.1 (among other things). I've googled for this problem
>>> and found that others have had a similar problem but I haven't yet
>>> had time to go into it further.
>> []
>> (I've snipped the rest as I can't help there.) "Firefox starting up
>> on its own" just means - assuming it's the default browser on the
>> machine involved - that something is opening a web link. Sorry if you
>> knew that - I just mean that it isn't Firefox that's at fault. (Much
>> like rundll.exe - I think that's the name - is often the apparently
>> culprit process when you look at Task Manager to see what's eating CPU
>> time; rundll just gets _called_ to, er, run DLLs.)
>
> Firefox (yes, it is the default browser) usually loads a couple of pages
> about once a day (but not every day). Today's pages were reimageplus.com
> which advertises a rather genuine looking Microsoft repair page (but
> obviously isn't because the URL isn't microsoft.com). The other page was
> lpmxp1088.com.
Something else lurking on your PC is telling it to go get those URLs.
>
>> In message <TY7exOxK...@david.rance.org.uk>, David Rance
>> <david...@SPAMOFF.invalid> writes:
>> []
>>> Coupled with this, every 24 hours or so, Firefox starts up on its own
>>> and displays a page from a spurious address which advertises updates
>>> to Windows 8.1 (among other things). I've googled for this problem
>>> and found that others have had a similar problem but I haven't yet
>>> had time to go into it further.
>> []
>> (I've snipped the rest as I can't help there.) "Firefox starting up
>> on its own" just means - assuming it's the default browser on the
>> machine involved - that something is opening a web link. Sorry if you
>> knew that - I just mean that it isn't Firefox that's at fault. (Much
>> like rundll.exe - I think that's the name - is often the apparently
>> culprit process when you look at Task Manager to see what's eating CPU
>> time; rundll just gets _called_ to, er, run DLLs.)
>
> Firefox (yes, it is the default browser) usually loads a couple of pages
> about once a day (but not every day). Today's pages were reimageplus.com
> which advertises a rather genuine looking Microsoft repair page (but
> obviously isn't because the URL isn't microsoft.com). The other page was
> lpmxp1088.com.
>
> Googling for these suggests that they may be genuine or they may be
> malware, or pointing to malware. As long as I don't click on them I
> don't think they'll infect the computer. But I just wish that I could
> stop such pages from appearing daily.
My instinct would be that there is something slightly malevolent already
> Googling for these suggests that they may be genuine or they may be
> malware, or pointing to malware. As long as I don't click on them I
> don't think they'll infect the computer. But I just wish that I could
> stop such pages from appearing daily.
on the machine that is spontaneously firing up Firefox.
I'd be inclined to run a deep AV scan with its own AV product and then
something like Malwarebytes downloaded by another trusted machine.
>
> I'm wondering if this is related to the Teredo and DNS flooding that's
> going on. They started at about the same time.
>
> David
I suspect something on the inside trying to do ET phone home.
> I'm wondering if this is related to the Teredo and DNS flooding that's
> going on. They started at about the same time.
>
> David
--
Regards,
Martin Brown
David Rance
Sep 15, 2014, 1:29:27 PM9/15/14
to
On Mon, 15 Sep 2014 11:52:54 Martin Brown wrote:
>On 13/09/2014 18:06, David Rance wrote:>
>>
>> Firefox (yes, it is the default browser) usually loads a couple of pages
>> about once a day (but not every day). Today's pages were reimageplus.com
>> which advertises a rather genuine looking Microsoft repair page (but
>> obviously isn't because the URL isn't microsoft.com). The other page was
>> lpmxp1088.com.
>
>Something else lurking on your PC is telling it to go get those URLs.
>>
>> Googling for these suggests that they may be genuine or they may be
>> malware, or pointing to malware. As long as I don't click on them I
>> don't think they'll infect the computer. But I just wish that I could
>> stop such pages from appearing daily.
>
>My instinct would be that there is something slightly malevolent
>already on the machine that is spontaneously firing up Firefox.
Had another two pages appear today: delivery67.com and tuneuppro.com. If
>On 13/09/2014 18:06, David Rance wrote:>
>>
>> Firefox (yes, it is the default browser) usually loads a couple of pages
>> about once a day (but not every day). Today's pages were reimageplus.com
>> which advertises a rather genuine looking Microsoft repair page (but
>> obviously isn't because the URL isn't microsoft.com). The other page was
>> lpmxp1088.com.
>
>Something else lurking on your PC is telling it to go get those URLs.
>>
>> Googling for these suggests that they may be genuine or they may be
>> malware, or pointing to malware. As long as I don't click on them I
>> don't think they'll infect the computer. But I just wish that I could
>> stop such pages from appearing daily.
>
>My instinct would be that there is something slightly malevolent
>already on the machine that is spontaneously firing up Firefox.
I google for these sites then I get pages which tell me that the purpose
of the nasty is to notch up hits for these sites
>
>I'd be inclined to run a deep AV scan with its own AV product and then
>something like Malwarebytes downloaded by another trusted machine.
I've seen Malwarebytes referred to elsewhere but was waiting for someone
>I'd be inclined to run a deep AV scan with its own AV product and then
>something like Malwarebytes downloaded by another trusted machine.
reliable (i.e. here!) to recommend it. I'll try it.
Jim Crowther
Sep 15, 2014, 2:30:23 PM9/15/14
to
In demon.service, on Mon, 15 Sep 2014 18:29:27, David Rance wrote:
>I've seen Malwarebytes referred to elsewhere but was waiting for
>someone reliable (i.e. here!) to recommend it. I'll try it.
It is absolutely recommended. Download, install, *update* then run it.
>I've seen Malwarebytes referred to elsewhere but was waiting for
>someone reliable (i.e. here!) to recommend it. I'll try it.
--
Jim Crowther
Martin Brown
Sep 15, 2014, 3:12:06 PM9/15/14
to
I have only had to use it once or twice in anger on clients kit.
--
Regards,
Martin Brown
John Hall
Sep 15, 2014, 3:52:37 PM9/15/14
to
In message <qZxP$nE$AzFU...@nospam.at.my.choice.of.UID.invalid>, Jim
Crowther <Don't_bo...@blackhole.do-not-spam.me.uk> writes
Thanks for the recommendation (even though it was aimed at David).
Previously I've been using Spybot's Search & Destroy, but following your
recommendation I looked up Malwarebytes on Wikipedia. I especially liked
the sound of its "Chameleon" feature, so I've just downloaded the free
version and done my first scan with it. No malware found, I'm pleased to
say. I was impressed by how fast it was. Search & Destroy would take far
longer to do a scan.
--
John Hall
"I am not young enough to know everything."
Oscar Wilde (1854-1900)
Crowther <Don't_bo...@blackhole.do-not-spam.me.uk> writes
Previously I've been using Spybot's Search & Destroy, but following your
recommendation I looked up Malwarebytes on Wikipedia. I especially liked
the sound of its "Chameleon" feature, so I've just downloaded the free
version and done my first scan with it. No malware found, I'm pleased to
say. I was impressed by how fast it was. Search & Destroy would take far
longer to do a scan.
--
John Hall
"I am not young enough to know everything."
Oscar Wilde (1854-1900)
David Rance
Sep 15, 2014, 5:43:10 PM9/15/14
to
of Malwarebytes. Like you, John, I've previously used Search and
Destroy. I've done my first scan and it came up with fourteen warnings:
eleven files, two folders and a registry entry. I've quarantined all of
them
One of the file entries was interesting. I downloaded a manual for a
Panasonic item - I think it was a breadmaker - but I had downloaded it
from mypdfmanuals.com, not from Panasonic. Malwarebytes didn't like it!
I wonder if that's where the infection is from that's causing FF to load
spontaneously. We'll see.....
Simon Clubley
Sep 16, 2014, 3:42:05 PM9/16/14
to
On 2014-09-15, Martin Brown <|||newspam|||@nezumi.demon.co.uk> wrote:
>
> My instinct would be that there is something slightly malevolent already
> on the machine that is spontaneously firing up Firefox.
>
> I'd be inclined to run a deep AV scan with its own AV product and then
> something like Malwarebytes downloaded by another trusted machine.
I've encountered malware which can hide itself within Windows
>
> My instinct would be that there is something slightly malevolent already
> on the machine that is spontaneously firing up Firefox.
>
> I'd be inclined to run a deep AV scan with its own AV product and then
> something like Malwarebytes downloaded by another trusted machine.
sufficiently deeply I could not be sure a PC really was clean.
What I now do these days as a result is to use one of the free bootable
CD/DVDs available from some of the AV vendors. These are bootable
self-contained Linux live CD/DVDs which boot directly into the vendor's
AV scanner and as a result the virus never gets a chance to run.
No recommendations as you may need to try out several of them if it's
something really tricky you have picked up.
Simon.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Simon Clubley
Sep 16, 2014, 3:56:35 PM9/16/14
to
On 2014-09-16, Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
>
> No recommendations as you may need to try out several of them if it's
> something really tricky you have picked up.
>
There is _one_ operational recommendation however.
>
> No recommendations as you may need to try out several of them if it's
> something really tricky you have picked up.
>
Make sure you use the builtin option to bring the AV database version
on the bootable disk up to date before you commence a scan. These disks
are released infrequently so the pre-packaged AV database will rapidly
go out of date.
Martin Brown
Sep 16, 2014, 4:12:13 PM9/16/14
to
On 16/09/2014 20:56, Simon Clubley wrote:
> On 2014-09-16, Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
>>
>> No recommendations as you may need to try out several of them if it's
>> something really tricky you have picked up.
>
> There is _one_ operational recommendation however.
>
> Make sure you use the builtin option to bring the AV database version
> on the bootable disk up to date before you commence a scan. These disks
> are released infrequently so the pre-packaged AV database will rapidly
> go out of date.
Although usually isolating the suspect machine from the internet for a
> On 2014-09-16, Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
>>
>> No recommendations as you may need to try out several of them if it's
>> something really tricky you have picked up.
>
> There is _one_ operational recommendation however.
>
> Make sure you use the builtin option to bring the AV database version
> on the bootable disk up to date before you commence a scan. These disks
> are released infrequently so the pre-packaged AV database will rapidly
> go out of date.
week and waiting for a fresh build of the CD/DVD will ensure that the
countermeasures are up to date compared to the hostile. You do need a
recent build to stand any chance at all. The AV game is fast moving.
If you get hit by a zero day exploit you basically have to wait for the
antivirus guys to dissect it and find a way to take it down cleanly.
There are some worrying new exploits using USB memory stick drivers too.
Although I sometimes think some AV nagware is almost as bad as the
malevolent code it is supposed to be protecting us from. YMMV
--
Regards,
Martin Brown
Simon Clubley
Sep 16, 2014, 4:40:36 PM9/16/14
to
On 2014-09-16, Martin Brown <|||newspam|||@nezumi.demon.co.uk> wrote:
>
> There are some worrying new exploits using USB memory stick drivers too.
>
Unless there's a new variant I have not yet come across, that's due
>
> There are some worrying new exploits using USB memory stick drivers too.
>
to the infected USB device re-enumerating itself as something like
a HID or communications device so the USB mass storage device drivers
are not involved.
One possible countermeasure is for the host OS to detect when the
topology of the USB network has changed and to list what the OS
thinks is the new device (along with any device it thinks has dropped
off the USB network) and wait for user confirmation.
As this would be done during device enumeration, the host OS would not
attach the (apparently new) device to a host device driver until
confirmation was received from the user.
> Although I sometimes think some AV nagware is almost as bad as the
> malevolent code it is supposed to be protecting us from. YMMV
>
J. P. Gilliver (John)
Sep 15, 2014, 5:47:30 PM9/15/14
to
In message <byzRv.325202$an2.1...@fx09.am4>, Martin Brown
software isn't working properly.
House (TV character), quoted in Radio Times 1-7/3/2008
<|||newspam|||@nezumi.demon.co.uk> writes:
>On 13/09/2014 18:06, David Rance wrote:> On Sat, 13 Sep 2014 12:25:53
>J. P. Gilliver (John) wrote:
Actually, I wrote the "I've snipped" paragraph. _Somebody's_ attribution
>On 13/09/2014 18:06, David Rance wrote:> On Sat, 13 Sep 2014 12:25:53
>J. P. Gilliver (John) wrote:
software isn't working properly.
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf
You can think I'm wrong, but that's no reason to stop thinking. - Dr. Gregory
House (TV character), quoted in Radio Times 1-7/3/2008
Richard_C
Sep 17, 2014, 12:59:18 PM9/17/14
to
very quickly and scan run during my lunchtime peanut butter sandwich break.
No malware, pleasing especially as since Win 8.0 and now with 8.1 I have
only used the built in windows defender plus whatever firewall my router
came with.
Interesting if worrying article in Guardian Tech today, poor wifi
printer security as a back door.
http://www.theguardian.com/technology/2014/sep/15/hackers-doom-printer-canon-security
David Rance
Sep 21, 2014, 4:56:22 PM9/21/14
to
threw up and ...... Firefox has stopped loading itself and displaying
doubtful web pages every day!
Thanks, Jim.
Jim Crowther
Sep 21, 2014, 10:33:32 PM9/21/14
to
In demon.service, on Sun, 21 Sep 2014 21:56:22, David Rance wrote:
>On Mon, 15 Sep 2014 11:30:23 Jim Crowther wrote:
>
>>In demon.service, on Mon, 15 Sep 2014 18:29:27, David Rance wrote:
>>
>>>I've seen Malwarebytes referred to elsewhere but was waiting for
>>>someone reliable (i.e. here!) to recommend it. I'll try it.
>>
>>It is absolutely recommended. Download, install, *update* then run it.
>
>As I said a few days ago, I did that. I quarantined everything that it
>threw up and ...... Firefox has stopped loading itself and displaying
>doubtful web pages every day!
I'm glad your 'wobblies' are resolved. ;)
>On Mon, 15 Sep 2014 11:30:23 Jim Crowther wrote:
>
>>In demon.service, on Mon, 15 Sep 2014 18:29:27, David Rance wrote:
>>
>>>I've seen Malwarebytes referred to elsewhere but was waiting for
>>>someone reliable (i.e. here!) to recommend it. I'll try it.
>>
>>It is absolutely recommended. Download, install, *update* then run it.
>
>As I said a few days ago, I did that. I quarantined everything that it
>threw up and ...... Firefox has stopped loading itself and displaying
>doubtful web pages every day!
--
Jim Crowther
0 new messages