Phone shows up twice in router log

[goobee]

While connected to my home Wifi, my phone shows up in the router log twice. Once with the IP assigned by the router and a second time with a completely different IP series. Is this normal or is this indicative of a rogue app doing something bad like phoning home?

The IP is 21.10.30.105. I did a WHOIS and it came back as

IP Owner: Dod Network Information Center
Owner Full IP Range:
21.0.0.0 - 21.255.255.255
Owner Address: 3990 E. Broad Street, Columbus, OH, 43218, US
Owner Country: USA

Thoughts?

 

[smakme7757]

It depends on what the log is logging.
Initially i thought you meant your DHCP logs or your "Connected Devices" logs. But seeing as it's a foreign IP this must be in your connection logs.

It seems strange that it's the only other IP from the phone.

Doesn't DOD stand for Department of Defence

 

[goobee]

Actually your initial assessment is correct, it is the router's connected devices log that I am referring to. If you note the pic, the MAC addresses are the same but are showing different IPs.

 

[master_shake_]

dod? like department of defense?

scary stuff.

 

[John Connor]

You are not alone.

http://www.whitenations.com/showthread.php?t=3883

http://www.rap-con.com/forum/dod-military-already-snooping-computers

http://www.davidicke.com/forum/archive/index.php/t-209447.html

http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=104x2559469

...and the Google list continues. I run DD-WRT and have iptables. I think I'll block the whole damn subnet from this crap. I don't believe I have ever seen it. I have SPI and Comodo firewall. It would have to get past SPI first. Do you know how to change your IP address? I can tell you how.

Your log says allowed . How could that happen???

And here I thought China was bad.

 

[John Connor]

I just added this to my firewall's iptables in DD-WRT. iptables -A INPUT -s 21.0.0.0/8 -j DROP

That will block DOD. Not sure if it should be iptables -A INPUT -s 21.0.0.0/8 -j DROP

or

iptables -A FORWARD -s 21.0.0.0/8 -j DROP

 

[Elixer]

I would do:
iptables -I INPUT -s {IP-HERE} -j DROP

 

[goobee]

Sons of bitches, thanks for the links John.

I will block the IP range for sure which will take care of the router. The phone itself, what a mess.

 

[John Connor]

I would do:
iptables -I INPUT -s {IP-HERE} -j DROP

Okay, what is the difference between forward and input? On the DD-WRT site a poster who told another poster how to block an IP range used forward instead of input. Not sure if there is a difference or if DD-WRT only understands forward.

 

[smakme7757]

I just added this to my firewall's iptables in DD-WRT. iptables -A INPUT -s 21.0.0.0/8 -j DROP

That will block DOD. Not sure if it should be iptables -A INPUT -s 21.0.0.0/8 -j DROP

or

iptables -A FORWARD -s 21.0.0.0/8 -j DROP

You want to block the connection when it reaches the kernel on the local system, so you use the INPUT chain, i.e, block incoming packet on it's way IN to the local machine. Assuming the packets destination is for the local machine (Which it would be, if it's hitting the WAN NIC of your router)

You should create an OUTPUT rule as well to make sure your PC/Router won't send data to that IP space. You would put this on the LAN nic so it doesn't get forwarded to the WAN NIC on the router.

The FORWARD chain is used for packets with a foreign source and destination IP. In this case your local system will be routing packets through its NICs and you would be using forward rules to get this to work.



Also as a side note, you keep writing "I have IPTables" like it's some type of magic . A blocked packet is a blocked packet, no matter if you use iptables, Windows firewall etc etc..

You should read this if you want to learn more about IPtables:
http://bodhizazen.net/Tutorials/iptables
I can also recommend the following book, it was great help to me when i was at studying: http://www.nostarch.com/firewalls.htm

 

[John Connor]

I have IPtables that block output broadcast packets, SSH protection and hacker blocking like X-mas and such. Here's what I have.

iptables -I OUTPUT -d 239.255.255.250 -j DROP
iptables -I OUTPUT -d 224.0.0.22 -j DROP
iptables -A INPUT -s 21.0.0.0/8 -j DROP
#Syn-flood protection
iptables -N syn_flood
iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A syn_flood -j REJECT
# Furtive port scanner:
iptables -N port_scan
iptables -A port_scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A port_scan -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
#XMAS
iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j REJECT
# FIN packet scans
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT
#SSH Protection
iptables -N rate_limit
iptables -F rate_limit
iptables -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A rate_limit -p udp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A rate_limit -p ICMP --icmp-type echo-request -m limit --limit 3/sec -j ACCEPT
iptables -A rate_limit -p ICMP -j LOG --log-prefix " Connection dropped!! "
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A rate_limit -j DROP
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -I INPUT -p udp --dport 22 -m state --state NEW -j rate_limit
iptables -A INPUT -i vlan1 -p igmp -j DROP
iptables -I INPUT -i vlan1 -d 192.168.0.0/16 -p igmp -j DROP
iptables -A INPUT -i vlan0 -p igmp -j DROP
iptables -I INPUT -i vlan0 -d 192.168.0.0/16 -p igmp -j DROP

I don't use 22 for the SSH port, I just changed it here for posting.

 

[Knowing]

http://www.markturner.net/2011/11/08/why-is-the-defense-department-snooping-on-my-phone/

A commenter’s tip has solved the mystery of why my phone’s voice traffic is coming from an IP address owned by the Department of Defense. By entering the code *#*#INFO#*#*, I was able to pull up a hidden menu which shows the rogue IP address as assigned to my phone.
The Department of Defense is squatting on a massive number of IPv4 addresses and is not using most of it. Phone networks like Sprint are borrowing these IP addresses because their networks are larger than the 16 million hosts that the 10.x.x.x network can provide.
It looks, as another MT.Net visitor theorized, like Sprint is assigning the (unused) DoD IP addresses internally to its phones and then NATting the traffic from the phones to the public IPs. Since SIP packets have an additional IP address embedded inside, Sprint’s firewalls aren’t NATting that IP and thus the ordinarily “private” IP address is getting through the NAT process.
Whew!

 

[John Connor]

Isn't that a little disconcerting that Spirt would use DOD IP addresses for NAT?

 

[VirtualLarry]

So, why aren't we all on IPv6 already?