Why is Windows 7 trying to send out Protocol 41 packets to Internap
I'm new to Windows 7 and I appologize for my IPv6 ignorance but I'm just trying to figure out why is my new media center constantly trying to make protocol 41 connections to hosts at Internap? Here's what I'm seeing on my firewall: 14:15:42 Default DROP 41 192.168.0.100 → 66.150.161.140 len=68 ttl=127 tos=0x00 and it's to all these destination addresses: 63.251.171.8063.251.171.8166.150.161.14066.150.161.14169.25.27.17069.25.27.17369.25.27.179 which all appear to be hosted by Internap. Is this some secret microsoft spyware? I'm not too concerned with the traffic itself since I'm dropping it at my firewall but I'm more concerned with why it's happening and why I can't figure out why these hosts. My copy is legit and I'm not worried about phone home technology like WGA or the KB971033 update and I don't think this the case here, but I can't find anything on the internet why my media center is trying to connect to these hosts. Sadly I think the problem is search engines aren't able to get the results I'm looking for since there's so much other information out there about windows 7. I intend to check my windows firewall settings tonight when I get home from work to see if there's anything which is set to allow this traffic and hopefully it has an explanation other than some short "IPv6 encapsulation" name or something like that.Thanks for any suggestions you can offer, and if this is the wrong forum please feel free to move it to where it's appropriate, I started the question here since this seems to me to be a questionable security issue since Windows 7 is generating traffic that I didn't request.
March 25th, 2010 12:44am

CSUDave, This seems a little bit suspischious trafic, it is possible that your machine is infected whit mallware.So first of all check if there is no mallware running on your machine.You can do a simple online virus scan on the microsoft live site.http://safety.live.com/If this have no results the next step what you can do is use a network sniffer like microsoft network monitor or wireshark.To get some more indepth information. Kind RegardsDFTIM me - TWiTTer: @DFTER
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2010 12:08pm

I know this is a reply to an old post, but I am putting this up here some maybe someone else that runs into this won't go down the paranoia pit that I did. I too had weird IP protocol 41 traffic going to those IP addresses, along with some other traffic that looked very suspicious. I started to notice it when I finally got my PIX setup at home. I ended up setting up a windows7 instance in a vm and even the MSDN ISO seemed to be infected. What really happened was: 1) I am using mydomain.com for my personal domain. Instead of using something.local for my dhcp scope default domain, I used something.net, the domain that I own. 2) For some reason mydomain.com put in default domain A records that point to the above addresses. (I am going to move my domain elsewhere, they just lost my business.) 3) IPv6 uses IP protocol 41, but for some reason when I unbound IPv6 from the vm's ethernet interface I still saw this traffic going out. I did notice that it happened right after a bunch of DNS queries were sent to google DNS at 8.8.8.8 (the vm was setup to use that nameserver) I trust the MSDN ISO that I used for the vm. If there is a rootkit, bot or malware involved, then it comes directly from Microsoft. If someone could explain the IP protocol 41 traffic related to DNS entries, that would be great.
May 9th, 2011 5:54pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics