What is 173.0.0.0 IANA Reserve?

metomeyametomeya New
edited February 2005 in Science & Tech
Ya my firewall keeps blocking this one IP it says 173.0.0.0 IANA Reserve. What is this? Should I worry? :confused:


I attached a photo of it

Comments

  • tophericetopherice Oak Ridge, TN
    edited February 2005
    :scratch: Don't know why you're getting alerts and someone please correct me if I'm wrong here but 173.0.0.0 /8 is a Class "B" network with 8 bits masked that is reserved by the Internet Assigned Numbers Authority. So it should not be publicly routable nor should anyone be attempting to use it publicly. Go to DNSSTUFF.COM and do an IPWHOIS lookup on it.
  • metomeyametomeya New
    edited February 2005
    http://www.abxzone.com/forums/showthread.php?p=1151106#post1151106

    for more info
  • DexterDexter Vancouver, BC Canada
    edited February 2005
    Short answer: it's a bogon address.

    Now you are probably going to want the long answer... :)

    Some definitions, in case you aren't familiar:
    http://www.answers.com/iana&r=67

    IANA = Internet Assigned Numbers Authority (the body that legislates how IP addresses are assigned and used internationally.) Now done by a body called ICANN (Internet Corporation for Assigned Names and Numbers.)


    Anything that is IANA Reserved means that they are holding a range of IP addresses in reserve for future use. That means that this range of addresses should not be in use by anyone. Violation of that is frowned upon by IANA, and ISPs who use reserved addresses not assigned to them are shunned by other ISP's, in effect getting cut off from the rest of the internet.

    Anything numbered 173.0.0.0 to 187.255.255.255 are reserved, as are several other ranges, but this is the range we are interested in, since it is the one you are seeing. That is what Topherice mentioned, that this range is not supposed to be in use, and so you should not be seeing it. But it is probably not in use, it is a bogon address...

    http://aplawrence.com/Words/2004_06_12.html
    Bogon Address: = an ip address that shouldn't be in a routing table and therefore shouldn't be used for hosts or devices. These are not the just the reserved private addresses we use for internal networks. Bogon addresses are often used as the source addresses of DDoS packets.

    That's the short explanation. Here's the longer one:

    http://ispcolumn.isoc.org/2004-04/bogons.html

    The problem that bogons present is generally related to threats to the integrity of the Internet's address space. Bogons are what could be considered to be 'unauthorized' use of the address space. In one form of bogon there is no record of the original resource allocation ever having been made, while in the other form, that of hijacking, the address may have been dormant for some time and its use is taken up by the hijacker. There are also cases where active addresses are being re-advertised incorrectly, either inadvertently, or as part of some form of malicious attack. All of these cases of unauthorized use of address resources fit within the broad term of a bogon. Sometimes a bogon is just a case of keystroke error by a network operator, and the consequent bogons are entirely inadvertent, and other times it may be a disagreement between an end user and a registration authority, and sometimes it may indeed be an instance of deliberate hijacking of an address.

    So basically, the answer to your question is: it's a spoofed address. The IP reported hsa been spoofed to mask the real IP. This is done, as mentioned in the references above, in Distributed Denial Of Service (DDOS) attacks. It can also be done by hackers running automated intrusion scripts, spyware / adware companies trying to push pop-up advertising to you, etc.

    You have no way of knowing who this is from. It could be comign from multiple addresses.

    Some things you can do:

    - thorough anti-spyware & anti-virus check. Make sure that this traffic is not a response to communication inside your LAN, such as adware requesting the latest pop-ups, or a trojan broadcasting it's availability.

    - contact your ISP, ask them to check and see of this source is indeed coming from the outside, and ask if they can either trace it or block it.

    - see if you can set the firewall to ignore this (ie - stop reporting it). The firewall is doing it's job. Looking at the reports can drive you bonkers. So long as you verify that your system is free of internal threats (spyware, viriuses, trojans) then just ignore this from your firewall. As long as those are being blocked, you have nothing to worry about.

    Dexter...
  • LeonardoLeonardo Wake up and smell the glaciers Eagle River, Alaska Icrontian
    edited February 2005
    Thanks for the explanation. I had initially thought that Bogons were the cousins of the Klingons, or perhaps even confedarates of the Borg. Whew, I feel better now! :eek:
  • DexterDexter Vancouver, BC Canada
    edited February 2005
    Leonardo wrote:
    Thanks for the explanation. I had initially thought that Bogons were the cousins of the Klingons, or perhaps even confedarates of the Borg. Whew, I feel better now! :eek:


    ;D

    I thought they were somehow related to the Vogons, and were going to destroy our planet so they could put in a new interstellar communications hub.....

    Seriously though, ya, wacky name. I don't make 'em, I just learn 'em. :)

    Dexter...
  • metomeyametomeya New
    edited February 2005
    Okay I just took it off my firewall block list. I have an insane amount of protect, I think I posted all the program I use, and I just updated, so I should be good. I'm going to guess cox my internet service provider is just using that IP address for somethings. I don't think i'm underattack :D
  • DexterDexter Vancouver, BC Canada
    edited February 2005
    metomeya wrote:
    Okay I just took it off my firewall block list.


    I hope you don't mean you are ALLOWING this traffic?? I meant for you to set it to NOT REPORT this traffic, not to ALLOW it. Keep it blocked...it does not sound like any legitimate traffic that should be coming to your computer.

    Dexter...
  • metomeyametomeya New
    edited February 2005
    Sorry misread your post (my mind loses concentration on long posts :D ). Ya I re-enabled it, but while it was down my post was blocking a different IP. It looks like someone is trying to get to my system. I posted another image.
  • DexterDexter Vancouver, BC Canada
    edited February 2005
    Don't take this one personally, this one is flagged by your Firewall as being a Hijacker Host, so I assume that means they are a known adware source. You probably had adware on your system at some time, so they added you to a big database of IP addresses to check occasionally to see if you still have their stuff on active on your system. Or they are just scanning IP's for vulnerabilities.

    Like I said, if you sit and look at your firewall log every day, you are going to drive yourself slowly nuts. It's like standing on your front porch and watching every car that drives by to see if the occupants are looking at your home, then worrying if they are scoping your house out for a break-in. Just let your firewall do it's work. If you notice repeated communication day after day after day from the same source, then reoprt to your ISP, they may be able to check it or block it at the server. Otherwise, don't sweat it, unless there is traffic coming through the firewall that looks fishy. :)

    Dexter...
Sign In or Register to comment.