aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
 ·Verizon Online DSL
4 edits | Why is my traffic going to 209.81.9.7 port number 123?
Please can anyone explain what is 209.81.9.7 port number 123? Also why are my, computer(s) / network(s), sending traffic to that location?
From my outgoing log...
quote:
LAN IP Destination URL/IP Service/Port Number
192.168.0.101 mirror.toolbar.netcraft.com
192.168.0.101 www.dslreports.com
192.168.0.101 www.dnsstuff.com
192.168.0.101 www.dslreports.com
192.168.0.101 www.dslreports.com
192.168.0.101 i.dslr.net
192.168.0.101 mirror.toolbar.netcraft.com
192.168.0.101 www.dslreports.com
192.168.0.101 toolbar.netcraft.com
192.168.0.101 209.81.9.7 123
192.168.0.100 209.81.9.7 123
192.168.0.101 toolbar.netcraft.com
192.168.0.101 mirror.toolbar.netcraft.com
192.168.0.101 sirocco.accuweather.com
192.168.0.101 forecastfox.accuweather.com
192.168.0.101 www.netanya.ac.il
192.168.0.101 mirror.toolbar.netcraft.com
192.168.0.101 209.81.9.7 123
192.168.0.100 209.81.9.7 123
192.168.0.101 209.81.9.7 123
I understand with Whois where it is, and who to report to abuse to..
Important note: I am running more than one network. My machine is connected behind the router with the WAN IP address of 192.168.0.101, and my parents are behind the router with the WAN IP of 192.168.0.100
I also get to explain a little a bit why I am running more than one network...
Here is one of the coolest things that I found out thanks to the help of grc.com/securitynow
You can run more than one network and a Y config is needed. More details on how to do it latter, first why.
If you have your network that looks like this
if Computer "A" has a packet sniffer on it, it can record * everything * that Computer "B" sends out that is not a SSL or VPN connection. By everthing, that means for example: usernames, passwords, website(s) going to, ETC..
You might ask: Why can't I just run one network with all the computers directly connected to the NAT router? The answer to why not: ARP (Address Resolution Protocol) spoofing is a real problem for LANs. For more details on that ckeck out the Transcript of Security Now! with Steve Gibson, Episode 29 for Thursday, March 2, 2006: Ethernet Insecurity. Also read ARP Cache Poisoning How one bad machine on your Ethernet Local Area Network (LAN) can ruin your whole day
What about if you do not have a VPN connection or the site that you are trying to connect to does not (One example: www.dslreports.com) offer SSL?
With that in mind, it explain why a Y config is required. Please look at the next sample diagram.
This is only an example of how to get this to work. First the Cable/DSL Router Letter "A" is configured to use the static LAN IP Address of 192.168.0.1. It also is configured as you normally would for the WAN IP Address. I have mine set to WAN type PPPoE, and yours may vary. Now continuing on, the Cable/DSL Router letter "B" is configured to use the static LAN IP Address of 192.168.1.1. The Cable/DSL Router letter "C" is configured to use the static LAN IP Address of 192.168.2.1. The Cable/DSL Router letters "A" and "B" can be configured to use DHCP to use an IP Address.
This is safe because ARP never crosses across routers. Also because NetBEUI/NetBIOS (the protocal that makes in File and Print sharing possible in Windows. Also called Samba in the world of Linux and Unix) is not routable, it breaks it. Which all worms that spread only by NetBEUI/NetBIOS, you just disabled them (they can't "jump" from router "B" to router "C").
Somethings to be aware of...
# 1 If someone connects their computer to the router "A" (the one that is directly connected to the Internet) on the LAN side they could ARP spoofing on the router, which would mean they would be able to sniff your data.
#2 If they were to connect a hub between router "A" and the modem, they would be able sniff your data.
#3 Any worms that only spread by NetBEUI/NetBIOS would be still on the computer and could spread to other computers that are connected to the same router (example: they can still jump between all of the computers on router "B") that have NetBEUI/NetBIOS enabled and are sharing the files / printers.
[EDIT 8/23/06 ~ 9:11 AM EST] Made some corrections about how to run more than one network...
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
WiggiE
join:2003-06-14
Milford, OH
| said by aefstoggaflm  :Please can anyone explain what is 209.81.9.7 port number 123? Port 123 is Network Time Protocol and 209.81.9.7 is owned by ViaNet Communications. |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA | reply to aefstoggaflm
IP address: 209.81.9.7
Host name: clock.via.net
NTP server setting your clock?
An application to set your clock?
--
Think outside the Fox... Opera |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
2 edits | reply to WiggiE
said by WiggiE :said by aefstoggaflm :Please can anyone explain what is 209.81.9.7 port number 123? Port 123 is Network Time Protocol and 209.81.9.7 is owned by ViaNet Communications. Thanks. Port number 123 usually is for time, but could it be used for something else?
I hope it only being used for time  and nothing else.
Is there any way I can check that out? Like for example by using a program called telnet, aiming it at 209.81.9.7:123 and seeing the reply that comes back?
[EDIT]Well it looks like I spoke to soon...said by dadkins :IP address: 209.81.9.7 Host name: clock.via.net NTP server setting your clock? An application to set your clock? Thanks, you answered my question.
Another "vote" for DSLR  since you guys / gals (or almost) always have the answer to my question(s). By almost, I mean for example you can point me in the right direction.
However, I have one more question: where did you get that info about the IP address/host name?
Also since I already said "thanks", I not going to say thanks again. That is unless I want to...
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
 ·Comcast
1 edit | »network-tools.com/default.asp?pr···9.81.9.7
»network-tools.com/
Tick Lookup and paste the questionable IP, click Submit.
--
Think outside the Fox... Opera |
|
Mem
join:2002-01-03
USA
·AT&T Southeast
| reply to aefstoggaflm
and you could do a trace route from your PC:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\MEM>tracert 209.81.9.7
Tracing route to clock.via.net [209.81.9.7]
over a maximum of 30 hops:
1 2 ms 1 ms 2 ms 192.168.110.1
2 21 ms 20 ms 20 ms 68.152.205.11
3 21 ms * 21 ms 68.152.212.42
4 42 ms 41 ms 41 ms bellsouth.net [205.152.238.92]
5 42 ms 41 ms 42 ms 65.83.137.70
6 43 ms 42 ms 104 ms pxr00msy-0-0-0.bellsouth.net [65.83.236.32]
7 43 ms 42 ms 43 ms 500.so-1-0-0.GW5.NOL1.ALTER.NET [65.208.10.245]
8 42 ms 41 ms 41 ms 0.so-2-0-0.XL1.NOL1.ALTER.NET [152.63.102.90]
9 95 ms 94 ms 94 ms 0.so-1-3-0.XL1.PAO1.ALTER.NET [152.63.50.205]
10 88 ms 89 ms 89 ms POS6-0.GW6.PAO1.ALTER.NET [152.63.55.9]
11 87 ms 88 ms 273 ms vianet-gw.customer.alter.net [63.65.129.178]
12 96 ms 97 ms 96 ms ge-0-0-0-1.a00.usnuq.via.net [157.22.9.94]
13 88 ms 89 ms 89 ms clock.via.net [209.81.9.7]
Trace complete. |
|
WiggiE
join:2003-06-14
Milford, OH
| reply to aefstoggaflm
said by aefstoggaflm :where did you get that info about the IP address/host name? Another great place is »www.dnsstuff.com/
WHOIS Lookup: »www.dnsstuff.com/tools/whois.ch?···9.81.9.7
Reverse DNS lookup: »www.dnsstuff.com/tools/ptr.ch?ip=209.81.9.7
IP Information: »www.dnsstuff.com/tools/ipall.ch?···9.81.9.7
A great program to match network connections to running programs is TCPView. »www.sysinternals.com/Utilities/TcpView.html |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA | reply to aefstoggaflm
Issue resolved thanks to your guys, gals and to ClockViaNet.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to aefstoggaflm
So what Program are you using that sets your clock?
Did you not know that it uses a internet-based Time Server?
You might look into what this program does so you can quickly see what is going on in your system[s] and hopefully reduce any apprehension you have.
Active Ports 1.4
»www.protect-me.com/freeware.html
quote:
Active Ports - easy to use tool for Windows NT/2000/XP that enables you to monitor all open TCP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to terminate the owning process. Active Ports can help you to detect trojans and other malicious programs.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
| said by Doctor Olds :So what Program are you using that sets your clock? Did you not know that it uses a internet-based Time Server? You might look into what this program does so you can quickly see what is going on in your system[s] and hopefully reduce any apprehension you have. Thank you for that info.
No I do not know which machine it is or which program. My parents and I will need to look into it.
This is my inventory of the nodes that I have. One phyical computer with Windows 2000, one phyical computer with Windows XP Home SP2, one phyical computer with Window 98 SE, one phyical computer with Window ME, one phyical computer with Linux, a print server with offical firmware that can not be changed, one VM (Virtual) computer with Windows ME, and and three routers in a Y config. Two of the routers with offical firmware from the company that made them, and the other one with third party firmware running (Linux).
I think I know which machine are doing that. I think it has got to be the routers. It would not be my computer running Linux because my computer is set to use clock.psu.edu
Part of the reason why I think that is because while I was running Atomic TimeSync on Windows ME (within VMware for Linux) to connect to 209.81.9.7 or clock.via.net but I can't connect.
To learn more details about Virtual Machine (VM) technology (aka:Virtualization) and how it relates to security, please read or listen to Security Now! with Steve Gibson, Episode 53 for August 17, 2006: Virtualization Part 2.
That server is "open access" and it requires a Notification Message before usage...
Quote from Open Access Time Server
quote:
An open access time server may be used without restrictions by any client in any location.
Operators of open access time servers may request, but may not require, a NotificationMessage prior to use.
..Ah, sucks! (alt text: mad)
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
MrBradTX
join:2001-05-23
Carrollton, TX | reply to aefstoggaflm
Somewhere buried in the labyrinthine bowels of Windows Control Panel is a setting that allows Windows to set its system clock based on an Internet Time Server. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to aefstoggaflm
Seems like your setup is too confusing to be useful if you don't know what is installed and what machine opened the port outbound. Perhaps a rethink on what you need versus what you have as your segmenting does not address the main issue of security. Don't run untrusted/unknown code and you won't get infected and then your LAN is safe.
Regards,
Doctor Olds
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
