Protecting your connection to a newly detected network on adapter

Norton Security | Norton Internet Security
1

NIS 2008 Logs | Service Activities is logging a connection to an unknown ip:

 

- Protecting your connection to a newly detected network on adapter "Intel(R) PRO/100 VE Network Connection" (IP address: 169.254.73.101).

 

then  the connection disappears:

 

- IP address 169.254.73.101 has disappeared and is no longer being protected.

then my normal network ip appears:

 

Protecting your connection to a newly detected network on adapter "Intel(R) PRO/100 VE Network Connection" (IP address: x.x.x.x).


http://private.dnsstuff.com/tools/whois.ch?domain=169.254.73.101 shows 169.254.73.101 being assigned to the Internet Assigned Numbers Authority

 

My logs only go back 1 week & this entry appears more than once very day.  Most connections seem to average 10 seconds, occasionally 30 seconds, and once it was 2 minutes.

 

 

2

This computer connects to a local area network using a dynamic ip assigned by a local DHCP server.  The local DHCP server's ip address pool is configured to utilize the 192.168.x.x private ip address range.

 

My concern is that the suspect connection is to a public (routable) ip address: 169.254.73.101.

 

TIA!

3

It seems than that this DHCP server didn't manage to contact your network adapter in due time.

 

A feature of Microsoft Windows, APIPA is a DHCP failover mechanism. With APIPA, DHCP clients can obtain IP addresses when DHCP servers are nonfunctional. APIPA exists in all popular versions of Windows except Windows NT.

When a DHCP server fails, APIPA allocates addresses in the private range 169.254.0.1 to 169.254.255.254. Clients verify their address is unique on the LAN using ARP. When the DHCP server is again able to service requests, clients update their addresses automatically.

In APIPA, all devices use the default network mask 255.255.0.0 and all reside on the same subnet.

APIPA is enabled on all DHCP clients in Windows unless the computer's Registry is modified to disable it. APIPA can be enabled on individual network adapters.

 

Message Edited by TomiRed on 03-13-2009 05:15 PM
Message Edited by TomiRed on 03-13-2009 05:16 PM
Message Edited by TomiRed on 03-13-2009 05:16 PM
4

On furthur investigation, it appears that 169.254x.x are actually private (non-routable) ip addresses.

 

It seems that I'm experiencing a delay with the ip address assignment by my DHCP server.

 

Thanks for your help!!!

Message Edited by RanD on 03-13-2009 12:22 PM
Message Edited by RanD on 03-13-2009 12:29 PM
5

I wouldn't think it is public and routable just because IANA keeps a record of it. IANA keeps records and assigns ranges for all IP addresses.

 

I doubt you even have connectivity with it. 

 

Here, from www.iana.org

 

Does it look like we're attacking you?

Some of the most common things we hear are "My network is under attack by IANA!" and "IANA is spamming me!" If you think this is the case, please take a few moments to read this page.

 

The Internet Assigned Numbers Authority, or IANA, is responsible for the global coordination of IP addresses. Most of the used numbers are allocated via a regional allocation system to your ISP, which then automatically assigns one or more to you.

 

There are, however, special sets of numbers that are designed not to be assigned to any particular person. Instead, they are general allocations that are either used in special ways, or designed for people to use internally within local networks.

 

These numbers are primarily in the following ranges:

 

 

  • Begins with 10. (i.e. 10.0.0.0 through to 10.255.255.255)
  • Begins with 127.
  • Begins with 169.254.
  • Begins with 172.16. through 172.31.
  • Begins with 192.168.
  • Shows up in your logs with a name like blackhole-1.iana.org

 

 

There are additional ranges of numbers that are also marked as “IANA Reserved” and similarly are not operated by IANA, although these are the most common ones we receive abuse reports concerning.

 

If you are seeing unexplained Internet traffic to your computer from these numbers, it is important to remember the following things:

 

The traffic does not come from IANA. As the authority for IP addresses, we have simply reserved these numbers in our databases, but we do not use or operate them, and we are not the source of the traffic.

 

As use of these numbers is untracked and unrestricted, we can not tell you who is using these numbers.

 

It is perfectly normal to see traffic from these numbers if you have a small home or office network. By default, most routers and access points use these numbers to assign to your local computers. It is most likely these numbers represent computers on your own internal network.

 

If you see these numbers in the headers of an unsolicited email, they usually indicate transit between servers within a corporate network or ISP. They are not useful in identifying the origin of an email. In such cases you can usually find the true origin by looking for the earliest "Received" mail header that is not an IANA Reserved address.


 

Message Edited by TomiRed on 03-13-2009 05:32 PM
6

It seems that I'm experiencing a delay with the ip address assignment by my DHCP server.

 

Does it look like we're attacking you?

No - nothing in my logs to indicate an attack, and, I certainly did not take it as a personal attack.

 

:-)

 

My confusion/concern was about the 169.254.x.x address range being public and routable.  That confusion/concern has been fixed by your helpful insights as well as the following excerpt from http://en.wikipedia.org/wiki/Private_IP_address:

 

"A second set of private networks is the link-local address range codified in RFC 3330 and RFC 3927. The intention behind these RFCs is to provide an IP address (and by implication, network connectivity) without a DHCP server being available and without having to configure a network address manually. The network 169.254/16 has been reserved for this purpose. Within this address range, the networks 169.254.0.0/24 and 169.254.255.0/24 have been set aside for future use.

If a host on an IEEE 802 (ethernet) network cannot obtain a network address via DHCP, an address from 169.254.0.0 to 169.254.255.255 is assigned pseudorandomly. The standard prescribes that address collisions must be handled gracefully.

Link-local addresses have even more restrictive rules than the private network addresses defined in RFC 1918: packets to or from link-local addresses must not be allowed to pass through a router at all (RFC 3927, section 7)."

 

Thanks for your help!!!

Message Edited by RanD on 03-13-2009 12:22 PM
Message Edited by RanD on 03-13-2009 12:29 PM
7

NIS 2008 Logs | Service Activities is logging a connection to an unknown ip:

 

- Protecting your connection to a newly detected network on adapter "Intel(R) PRO/100 VE Network Connection" (IP address: 169.254.73.101).

 

then  the connection disappears:

 

- IP address 169.254.73.101 has disappeared and is no longer being protected.

then my normal network ip appears:

 

Protecting your connection to a newly detected network on adapter "Intel(R) PRO/100 VE Network Connection" (IP address: x.x.x.x).


http://private.dnsstuff.com/tools/whois.ch?domain=169.254.73.101 shows 169.254.73.101 being assigned to the Internet Assigned Numbers Authority

 

My logs only go back 1 week & this entry appears more than once very day.  Most connections seem to average 10 seconds, occasionally 30 seconds, and once it was 2 minutes.

 

 

8

You have made some addresses very public – if you want them removed from the messages it can be done but only by a moderator.

9

huwyngr, the 169 addresses are harmless to make public. They’re private, local, non-routable addresses.

10

OK -- I'm not a networking person.

 

I thought they were the kind of things that one hid behind a router to stop being hacked ...