ICMP and port 16384 problem

I happened to fire up a network sniffer on my PC
last night to try and trouble shoot a problem and
discovered something that I'm stumped on.

I'm seeing TONS of traffic to a port and IP
and I don't know what's causing it. This is
on an XP machine, so the first thing I did
was a netstat to see what application was
causing this (I was assuming virus at this
point), but nothing came up. Then I ran
TCPview from sysinternals which shows
me all tcpip traffic in real time and the windows
process generating it. Again nothing. Next I
thought maybe someone is ICMPing me,
so I checked my router to make sure the
NAT wasn't forwarding the port to my PC,
nope. Any ideas? Here's a piece of the
sniffer log, there's dozens of these every
second - I have no idea who 65.6.181.87 is:

1 0.000000 65.6.181.87 192.168.2.103 UDP
Source port: 16384 Destination port: 16384
2 0.000034 192.168.2.103 65.6.181.87 ICMP
Destination unreachable (Port unreachable)
3 0.029063 65.6.181.87 192.168.2.103 UDP
Source port: 16384 Destination port: 16384
4 0.029098 192.168.2.103 65.6.181.87 ICMP
Destination unreachable (Port unreachable)
5 0.059852 65.6.181.87 192.168.2.103 UDP
Source port: 16384 Destination port: 16384
6 0.059883 192.168.2.103 65.6.181.87 ICMP
Destination unreachable (Port unreachable)
7 0.089441 65.6.181.87 192.168.2.103 UDP
Source port: 16384 Destination port: 16384
8 0.089486 192.168.2.103 65.6.181.87 ICMP
Destination unreachable (Port unreachable)
9 0.120482 65.6.181.87 192.168.2.103 UDP
Source port: 16384 Destination port: 16384

Well, i'm not sure what it is but I can tell you who it's coming from
and who to contact to stop it:
Reverse Lookup Results
Host Type Value
87.181.6.65.in-addr.arpa PTR adsl-065-006-181-087.sip.bct.bellsouth.net
181.6.65.in-addr.arpa NS auth01.dns.bellsouth.net
181.6.65.in-addr.arpa NS auth02.dns.bellsouth.net
181.6.65.in-addr.arpa NS auth00.dns.bellsouth.net
auth01.dns.bellsouth.net A 205.152.144.187
auth02.dns.bellsouth.net A 205.152.132.187
auth00.dns.bellsouth.net A 205.152.37.187
IP Address Contact Information

OrgName: BellSouth.net Inc.
OrgID: BELL
Address: 575 Morosgo Drive
City: Atlanta
StateProv: GA
PostalCode: 30324
Country: US

ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

NetRange: 65.0.0.0 - 65.15.255.255
CIDR: 65.0.0.0/12
NetName: BELLSNET-BLK15
NetHandle: NET-65-0-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: NS.BELLSOUTH.NET
NameServer: NS.ATL.BELLSOUTH.NET
Comment:
Comment: For Abuse Issues, email abuse @ bellsouth.net. NO
ATTACHMENTS. Include IP
Comment: address, time/date, message header, and attack logs.
Comment: For Subpoena Request, email ipoperations @ bellsouth.net
with "SUBPOENA" in
Comment: the subject line. Law Enforcement Agencies ONLY, please.
RegDate: 2003-12-29
Updated: 2004-07-28

RAbuseHandle: ABUSE81-ARIN
RAbuseName: Abuse Group
RAbusePhone: +1-404-499-5224
RAbuseEmail: abuse @ bellsouth.net

RTechHandle: JG726-ARIN
RTechName: Geurin, Joe
RTechPhone: +1-404-499-5240
RTechEmail: ipoperations @ bellsouth.net

OrgAbuseHandle: ABUSE81-ARIN
OrgAbuseName: Abuse Group
OrgAbusePhone: +1-404-499-5224
OrgAbuseEmail: abuse @ bellsouth.net

OrgTechHandle: JG726-ARIN
OrgTechName: Geurin, Joe
OrgTechPhone: +1-404-499-5240
OrgTechEmail: ipoperations @ bellsouth.net

Thanks for all the lookup info, I guess my
big confusion is how is this even getting to
my PC? It should be stopped at the router
since 16384 isn't set up to NAT to my PC.

"kevincw01" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Well, i'm not sure what it is but I can tell you who it's coming from
> and who to contact to stop it:
> Reverse Lookup Results
> Host Type Value
> 87.181.6.65.in-addr.arpa PTR adsl-065-006-181-087.sip.bct.bellsouth.net
> 181.6.65.in-addr.arpa NS auth01.dns.bellsouth.net
> 181.6.65.in-addr.arpa NS auth02.dns.bellsouth.net
> 181.6.65.in-addr.arpa NS auth00.dns.bellsouth.net
> auth01.dns.bellsouth.net A 205.152.144.187
> auth02.dns.bellsouth.net A 205.152.132.187
> auth00.dns.bellsouth.net A 205.152.37.187
> IP Address Contact Information
>
> OrgName: BellSouth.net Inc.
> OrgID: BELL
> Address: 575 Morosgo Drive
> City: Atlanta
> StateProv: GA
> PostalCode: 30324
> Country: US
>
> ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321
>
> NetRange: 65.0.0.0 - 65.15.255.255
> CIDR: 65.0.0.0/12
> NetName: BELLSNET-BLK15
> NetHandle: NET-65-0-0-0-1
> Parent: NET-65-0-0-0-0
> NetType: Direct Allocation
> NameServer: NS.BELLSOUTH.NET
> NameServer: NS.ATL.BELLSOUTH.NET
> Comment:
> Comment: For Abuse Issues, email abuse @ bellsouth.net. NO
> ATTACHMENTS. Include IP
> Comment: address, time/date, message header, and attack logs.
> Comment: For Subpoena Request, email ipoperations @ bellsouth.net
> with "SUBPOENA" in
> Comment: the subject line. Law Enforcement Agencies ONLY, please.
> RegDate: 2003-12-29
> Updated: 2004-07-28
>
> RAbuseHandle: ABUSE81-ARIN
> RAbuseName: Abuse Group
> RAbusePhone: +1-404-499-5224
> RAbuseEmail: abuse @ bellsouth.net
>
> RTechHandle: JG726-ARIN
> RTechName: Geurin, Joe
> RTechPhone: +1-404-499-5240
> RTechEmail: ipoperations @ bellsouth.net
>
> OrgAbuseHandle: ABUSE81-ARIN
> OrgAbuseName: Abuse Group
> OrgAbusePhone: +1-404-499-5224
> OrgAbuseEmail: abuse @ bellsouth.net
>
> OrgTechHandle: JG726-ARIN
> OrgTechName: Geurin, Joe
> OrgTechPhone: +1-404-499-5240
> OrgTechEmail: ipoperations @ bellsouth.net
>

RobR wrote:
> 1 0.000000 65.6.181.87 192.168.2.103 UDP
> Source port: 16384 Destination port: 16384
> 2 0.000034 192.168.2.103 65.6.181.87 ICMP
> Destination unreachable (Port unreachable)
It looks like 65.6.181.87 is trying to reach port 16384 and the TCP/IP
stack is replying with the ICMP packet that the port was unreachable. If
your PC sent a UDP packet 65.6.181.87 then the NAT function in the
router will normally forward anything coming back on that port from that
IP address to the originating PC. There are two questions here:
1) Why are you getting this UDP traffic in the first place?
2) Why is the router forwarding it rather than dropping it?

You don't indicate the type of router. Is it possible that there is a
configuration option that is causing the router to forward all traffic
to this particular PC? I assume you don't have this PC in the DMZ. A
Google on that port shows lots of entries related to VoIP.
Jim

If it were VoIP then it wouldn't be connecting to a consumer DSL
line....unless you're using skype which uses a p2p approach to voip.
the original questions remain however. Jim is right, unless you're in
the DMZ(or fwding the port), your computer must have initiated the
connection.

"kevincw01" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> If it were VoIP then it wouldn't be connecting to a consumer DSL
> line....unless you're using skype which uses a p2p approach to voip.
> the original questions remain however. Jim is right, unless you're in
> the DMZ(or fwding the port), your computer must have initiated the
> connection.
>

Which was my thought, ie I was originating the traffic.
I do have an IAX2 client on this PC and an Asterisk
VoIP server at work, but the VoIP client wasn't
running, and the IP address I was seeing wasn't
related to any of my hardware at work, and the client
uses port 5060. The utilities I used should
also have shown if the traffic was related to an application
on my PC (I doubled checked the processes to make
sure there wasn't something running in the background
I wasn't aware of).

The IP resolved to something with SIP in the FQDN
which also made me think VoIP. In any event, it has
stopped, I guess it's one of those mysteries that will
remain unsolved, at least for now but I'll keep an eye
out during my use of VoIP.

The router is a Linksys WRT54G running DD-WRT v22 firmware.
There's no easy way I'm aware of to check UPnP ports on v22
(v23 has this but has issues) but that's a possible explanation as to
why traffic was actually making it to my PC.

Thanks for the help, I appreciate it.

Voip Learning and Translating Tutorial
Voice Over IP is a new communication means that let you telephone with
Internet at almost null cost.
How this is possible, what systems are used, what is the standard, all
that is covered by this Howto.


http://www.freewebs.com/voipformula/VoIP-HOWTO.html

"kimi" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Voip Learning and Translating Tutorial
> Voice Over IP is a new communication means that let you telephone with
> Internet at almost null cost.
> How this is possible, what systems are used, what is the standard, all
> that is covered by this Howto.
>
>
> http://www.freewebs.com/voipformula/VoIP-HOWTO.html
>

Not sure why you posted that, was that supposed to be
for my benefit?

it's probably a newsgroup spam bot. Whatever you do, don't give the
spammer traffic by clicking on the link.