Re: unusual 1.11.0.0/16 outbound traffic

["James C. Slora Jr." <Jim.Slora () phra com>]

Federico Grau wrote Tuesday, September 14, 2004 2:23 PM

> We have been seeing an increasing amount of unusual network activity
> trying to get out of our internal LAN.  What is most odd about this
> traffic is that the traffic is directed to the 1.11.0.0./16 subnet (an
IANA
> Reserved subnet, which I believe is to be used for VPNs).

One possibility is that there is VPN activity going on. The client
establishes the tunnel, creates connections to reserved addresses within the
VPN, then disconnects the tunnel while still having connections to resources
on the remote network. Windows would likely generate some of the traffic you
are seeing in that scenario.

While the VPN was running you would not see any traffic to the reserved
addresses because it would all be hidden inside the tunnel. Thus you
probably see no packets with data.

> Client machines include several Microsoft operating systems; Windows 98,
> Windows 2000, Windows XP.

> We have captured outbound traffic using tcpdump, and looked at it
> with ethereal.  No packets with "data" appear to be making it out.
> The packets we have been seeing include; SMB "Tree Disconnect
> Request", SMB "Echo Request", NBNS "Name query NBSTAT"
> and some other "failed SMB" packets.

These would all appear to be consistent with a disconnected VPN scenario.

There is not enough information to say whether VPN afterglow is what you are
seeing. You might consider getting full packet captures for a few hours from
one of your machines that is persistently generating the odd traffic to see
what is going on. Capture all traffic, not just traffic to the reserved
addresses. Look at http traffic to see if users are accessing file transfer
services like foldershare, look for VPN on non-standard ports, etc.