Why are so many strange IP addresses in our route print table? Does this indicate a Windows security breach? We have two domain controllers, and the primary domain controller shows the highest number of strange IP addresses. We also have a firewall installed on our network environment.
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.
Margie Semilof, Editorial Director
This could be related to DNS resolution being done on the server (which it likely is). Have you tried to browse or otherwise connect to some of the addresses you're seeing? There's also a chance that some type of malware is on the machine creating these entries. Have you tried flushing your route table? Try doing that (after-hours to minimize problems of course) to see if/when the entries come back. Beyond that, the best way to troubleshoot this is to install/run a good network analyzer (such as OmniPeek or Sniffer Pro) on the server – or a monitor/span/mirror port on your switch – and see who's talking to what. It's always pretty shocking just how much is happening on the network that you'd otherwise never know about.
This was first published in January 2008