Confusing network activity in router log - help?

August 2, 2012 at 16:28:03
Specs: Windows 7 Ultimate 64-bit Service Pack 1, 2.67 GHz Intel i5, 6GB RAM

I was examining my router's logs the other day and I noticed a recurring entry stating that my PC's IP address was sending packets to the IP on port 80, and that the router was dropping them. At first glance, this of course does not seem to be anything to worry about. Except for the fact that my home LAN uses the network EXCLUSIVELY. That is all it has ever used since this router was set up, and the only other networks we have EVER used are and So why, I wondered, is my PC repeatedly sending (presumably) HTTP traffic to a private IP that is not and never has been on my network?
I wasn't worried about what these connections might be doing, since I figured they couldn't do anything, but I was kind of concerned about what was generating this traffic in the first place. So I downloaded Wireshark and ran a capture for 30 minutes. Upon completion, I filtered results to show only packets that contained the IP, as either the source or destination IP. Based on the router logs, I expected to see three packets with my PC's source IP address and a random source port sent to, port 80 every 10 minutes. And I did see that. These are TCP packets, and they appear to be completely empty. The only thing I noticed about them is that the SYN flag is set. I don't know what the significance of that is, if any, but that's what I noticed.
What I DIDN'T expect to see were the packets that had a source IP of These packets (also TCP) had the ACK and RST flags set, and they contained the text "Go away, we're not home." So not only are there packets being sent to an IP that cannot possibly exist within my network, but there are also packets coming FROM the impossible IP telling me to go away.
All of that is scary enough on its own. But then I hopped on Google and did a search for the phrase "go away, we're not home," and almost every result was related to the decline of the Storm worm. After reading about Storm, I was more confused, not less. In its heyday, Storm used UDP traffic to communicate between peers, and my mystery traffic was TCP. Storm usually did not use well-known port numbers, such as 80, which I read was part of what made it so resilient. Not to mention that the most recent posts I could find regarding the Storm worm were dated 2010 and were about the possibility of a second Storm, and I didn't get this PC until May 2011. Plus, even if we ignore all of this and operate under the assumption that I have the Storm worm on my PC, that still doesn't explain the fact that the traffic from my computer is heading to a private IP that is NOT, I repeat, NOT being used on my network, my router says it's dropping this traffic, but my PC is still somehow receiving a response from an IP address that 1) isn't on the network and 2) can't be having any packets forwarded to it, since the router says it's dropping the traffic.
So, operating under the worst-case scenario assumption, I used two different virus scanners (not simultaneously, of course) to do the deepest scans they are capable of doing. They both turned up completely clean. In fact, I've had AVG Free installed on my computer since I got it, and even if you look at my virus history you only see a few tracking cookies, a corrupted EXE from the Skype setup folder, and a Trojan dropper that I never even ran because I thought the file properties seemed fishy so I scanned it and promptly deleted it. So I now have to go back to operating under the assumption that I do NOT have the Storm worm, and I am back to the drawing board.
At this point I'm running out of ways to phrase Google searches to get different results, and I still have no idea what the hell is going on here. So please, if you have seen anything like this or you know how I might be able to find out EXACTLY what is causing this traffic (Oh, I should note that I ran netstat and it showed svchost.exe as the process related to the traffic, but I can't find any services in either Task Manager or Process Explorer that aren't supposed to be there) then please please please tell me. I'm starting college in a few weeks, and if this activity continues on the school network there's a possibility that they might kick me off the network. They have the most bewildering Acceptable Use policy ever.
Thank you in advance!


See More: Confusing network activity in router log - help?

Report •

August 2, 2012 at 17:57:15
Just doing a Google search for the IP address comes up with results of others that had a similar problem to yours. None of them seem to be consistent though. Try this: Open the Hosts file with Notepad (C:\Windows\system32\drivers\etc) and add to it. If your not familiar with how to do this, just add the following to the bottom of the document:

Check the logs of your router to see if this keeps happening.

You've been helped by a 14 year old.

Report •

August 2, 2012 at 23:39:24
Who is your ISP? Some (Comcast is one example) use such packets in P2p traffic shaping. Have a look at

Report •

Related Solutions

Ask Question