Router reporting odd attack seemingly from ntl

[baldrick33]

Hi all

wondering if any of you guys can shed some light on this for me

Monday my router began reporting RIP v1 attacks every 5 seconds , it reported 2 addresses 86.2.142.1 and 10.133.88.1 both from wan inbound .

now looking on the net for this problem i've found diddly and ntl tech support where less than helpful,or rather the person I spoke to didnt seem to understand the problem I was describing , but did confirm the first address belonged to ntl , anyone tell me more about this ? below is the text from my router

03/23/2006 13:34:47 **RIP v1** 86.2.142.1, 520->> 224.0.0.9, 520 (from WAN Inbound)
03/23/2006 13:34:47 **RIP v1** 10.133.88.1, 520->> 224.0.0.9, 520 (from WAN Inbound)
03/23/2006 13:34:42 **RIP v1** 86.2.142.1, 520->> 224.0.0.9, 520 (from WAN Inbound)
03/23/2006 13:34:42 **RIP v1** 10.133.88.1, 520->> 224.0.0.9, 520 (from WAN Inbound)
03/23/2006 13:34:37 **RIP v1** 86.2.142.1, 520->> 224.0.0.9, 520 (from WAN Inbound)
03/23/2006 13:34:37 **RIP v1** 10.133.88.1, 520->> 224.0.0.9, 520 (from WAN Inbound)
03/23/2006 13:34:33 **RIP v1** 86.2.142.1, 520->> 224.0.0.9, 520 (from WAN Inbound)
03/23/2006 13:34:33 **RIP v1** 10.133.88.1, 520->> 224.0.0.9, 520 (from WAN Inbound)

thanks in advance for any light shed on this

[Jon M]

[img]Download Failed (1)[/img]

This is most likely harmless traffic: http://www.iss.net/security_center/a...20/default.htm

[Nemesis]

It is RIP advertising, an old routing protocol, unlikely to be used by ntl core, but possibly coming from someone broadcasting it on their network. Harmless traffic as if you're not running RIP V1 nothing will answer it.

[baldrick33]

It is the fact that its occuring every 5 seconds and has been going on for the last 3 days thats unusual, also if i tracert www.ntl.com it goes through the 10.133.88.1 address , is that just a local ntl address?

[Nemesis]

10.x.x.x addressing is private addressing that is not routable on the internet. Can you publish the trace you have ?

[baldrick33]

sure heres the report (though this is to ntlworld.com not ntl.com)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\****>tracert www.ntlworld.com

Tracing route to www.ntlworld.com [212.250.162.47]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms . [192.168.*.*]
2 9 ms 11 ms 11 ms 10.133.88.1
3 23 ms 16 ms 9 ms midd-t2cam1-a-v106.inet.ntl.com [213.106.238.37]

4 11 ms 10 ms 9 ms midd-t2core-a-ge-wan62.inet.ntl.com [213.106.237
.37]
5 10 ms 11 ms 11 ms lee-bb-a-so-130-0.inet.ntl.com [62.253.187.89]
6 15 ms 18 ms 25 ms nth-bb-b-so-000-0.inet.ntl.com [62.253.185.101]

7 19 ms 17 ms 17 ms pop-bb-a-so-100-0.inet.ntl.com [213.105.172.14]

8 18 ms 18 ms 17 ms win-bb-b-so-500-0.inet.ntl.com [62.253.185.202]

9 19 ms 17 ms 36 ms win-dc-b-v900.inet.ntl.com [62.253.188.166]
10 22 ms 21 ms 22 ms www.ntlworld.com [212.250.162.47]

Trace complete.

[Nemesis]

This is showing your network too, the 192.168.2.1 is private addressing on your network, the 10.133.88.1 is likely to be your internet gateway at your site, nothing to do with ntl.

[baldrick33]

hmm so why would my router be reporting a RIP problem with this address ? , I cant find any mention of this within my router settings , and the problem persists even when all pc's are disconnected from the router . I'm finding the whole thing a bit odd

just checked my router and it reports my gateway address as something different to the 10.xxx.xx.x one

[Nemesis]

All depends on how you connect to the internet, any third parties involved etc.

If the router is reporting in inbound on it's WAN interface, it's either coming directly from the Net, or you have something between you and the internet.

[Jon M]

Just a hunch, but have you got wireless at any point in the chain, router or otherwise?

[baldrick33]

my pc and laptop both connect wired to the router , then to the cable modem . the router isnt wireless so thats not a factor . have scanned both pc's with several virus/adware checkers just to be safe , but as i say the problem persists even when theres nothing except the modem connected to the router

got me totally confused

---------- Post added at 15:01 ---------- Previous post was at 14:55 ----------

just decided to do a tracert to the 86.2.142.1 address and this is the result

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\***>tracert 86.2.142.1

Tracing route to cur1-hart2-0-0-gw.midd.cable.ntl.com [86.2.142.1]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms . [192.168.2.1]
2 12 ms 9 ms 10 ms cur1-hart2-0-0-gw.midd.cable.ntl.com [86.2.142.1
]

Trace complete.

[Nemesis]

The "problem" will persist as the traffic is comin inbound as Broadcast traffic (sends to all). The confusing thing id that you have 2 hops (192.168.x.x and 10.133.x.x) before you jump to the internet.

Are you running NAT at all ?

---------- Post added at 15:04 ---------- Previous post was at 15:02 ----------

Also waht make is the router ?

[baldrick33]

the 192.168 is my router address the other I have no idea what it is . as for nat , not really sure what that is , the listing within my router for nat is at the default settings (which is all address mapping set to 0 which I assume is disabled)

the router is an SMC Barricade

[Nemesis]

It looks like the 10.133 address is on your router, possibly a NAT address. Can you do a trace to it and publish the result.

The bottom line is that this traffic is coming into you from NTL, and basically can be ignored, it will not do you any harm. But I would advise a Firewall on your machines, and Anti Virus.

[baldrick33]

Heres a tracert to the weird address ...kind of nothing happens and I'm definatly running anti-virus and firewalls on my machines , both updated and used to scan regularly ( not that i'm paranoid )

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Bladerunner>tracert 10.133.88.1

Tracing route to 10.133.88.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms . [192.168.*.*]
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6

could someone wiring me up wrong at the green box cause this ? as i say it only started happening on monday, before that my router was always nice and quiet