RE: Odd addresses on my wireless network

["Kurt" <kurtbuff () spro net>]

Ron said...
| Windows computers, and some routers, have an obsession with sending
| traffic to "239.255.255.253" for something to do with upnp
| connectivity.  I didn't even realize this was happening until
| I set up
| Snort on my Linux box, and discovered packets destined for that
| (unroutable) address every second or so.  If either of your
| routers had
| upnp enabled, and you don't know what that is or don't use it, then I
| would recommend disabling it.
|
| As for the rest, I'm unsure.
|
| Michael Acosta wrote:
|
| >I noticed some odd behavior on my wireless network this afteernoon. I
| >didn't think too much of it at the time, but now it really seems odd.
| >
| >When I tried to access the internet from my laptop, I realized that I
| >couldn't, even though I had LAN connectivity. I have two wireless
| >points in my house, one is an Apple Airport Extreme (10.0.1.1), and
| >the other is an Apple Airport Express (10.0.1.250), set up for WDS.
| >Both were on, but I couldn't reach the Extreme station via Airport
| >admin. I went in the room it's in to reset it (I've had to do that
| >before,) and noticed that the TX/RX lights on the front were really
| >moving, as if it were quite busy. My DSL modem was doing the same
| >thing. I went back to my laptop, and ran "arp -a", and came up with
| >this (even though I still couldn't reach the base station):
| >
| >$ arp -a
| >? (10.0.1.1) at 0:3:93:e7:36:da on en1 [ethernet]
| >? (10.0.1.250) at 0:11:24:3:77:c4 on en1 [ethernet]
| >? (169.254.61.156) at 0:11:24:3:77:c4 on en1 [ethernet]
| >? (169.254.255.255) at (incomplete) on en1 [ethernet]
| >? (224.0.0.2) at 1:0:5e:0:0:2 on en1 permanent [ethernet]
| >? (224.0.0.251) at 1:0:5e:0:0:fb on en1 permanent [ethernet]
| >? (239.255.255.253) at 1:0:5e:7f:ff:fd on en1 permanent [ethernet]
| >
| >en1 is my Airport card.
| >
| >Like I said, I didn't think it was too odd at first, I simply reset
| >the base station. When it came back up, I could reach the internet. I
| >ran arp -a again, and it only showed 10.0.1.1, as expected.
| >
| >How could blackhole traffic, and reserved arp traffic show up? I'm no
| >network expert, but I would assume that if I I had it's MAC address,
| >it was somehow on my network... right? By the way, I do have some
| >amount of security on (128 bit WEP and MAC address whitelisting.)

224.x.x.x is multicast, 169.254.x.x is autoconfigure (that is, when a
machine wants a DHCP server but can't find it, or when it simply isn't
assigned an IP address for some other reason, it assigns itself an IP
address from that range at random).

Sounds mostly like one of two things:

1) you have a Windows box on your network that's not configured well

and/or

2) you have a Mac on your network that's doing autodiscovery with that
weird protocol that Apple dreamed up for advertising services.

Kurt