Bogon IP Address
Hi folks, network newbie here so apologies if this is a dumb question!
My Macbook Pro (M1 Big Sur 11.6) has recently downloaded around 15gb of data - not triggered by me directly. Having checked my FWG (V.1.973) Network Flows, I have 'Download' from IP Address 169.254.214.111 and when I click on it, my FW app states Flow Detail as 'Direction' Outbound and 'Downloaded' 15.54GB. The ipinfo.io information states the ip address as a 'bogon'. There is also an 'upload' that states Flow detail as 'Direction' Outbound and 'Uploaded' 353mb.
A brief search on web suggests that these comms with a bogon is probably not a good thing! BTW, there is nothing on my local network with that IP address.
So a couple of questions if I may seek some advice from those that know what they're doing please?
1) Whilst I have now 'blocked' this IP address, is there any way of blocking IP addresses not registered by IANA.
2) On a non FWG question, I can't seem to 'see' anything that was actually downloaded to my Mac. Whilst I have Bitdefender running (full system scan is clear) and Mac OS device Firewall on as well as the usual PW to change any system files, is there a simple way of determining what was actually downloaded?
I'm poised to do a complete re-install on Mac but would prefer to avoid if any of you folks have seen this behaviour before and concluded that it is somehow normal. In any event, a solution to question 1 might stop this from happening again.
Like I say, I'm not hugely technical but can learn quick if you have any suggestions or pointers! ;)
Thanks very much in advance.
Regards
Denzil
Edit: FWG is in Router mode
-
This IP address is a link-local, likely self-assigned IP address. This means the traffic you are seen is local ... Since the direction is outbound/download, your device is receiving this data.
I don't think you can block this IP, since it is a local address, and unless your service provider does something tricky to it, the IP address is only unique within your LAN. Why firewalla getting it is strange.
What/who is your service provider? Can you try to ping this address and see if it is routed to your ISP?
On question (2), firewalla can't see the details, you will need something running on the OS to see exactly what being downloaded.
-
Do you have TimeMachine set up on a network device? My Mac recently did a TimeMachine backup about that size due to the Update Apple just rolled out. I have a server that offers up a TimeMachine for my Mac to backup to. It is strange with that IP address as @Firewalla states, that ip is typically a Self Assigned IP address.
-
Hi Firewalla Team and James Willhoite. Many thanks for your responses, they are very much appreciated.
Apologies for delay responding, I thought I'd set up an alert for any posts but I hadn't, so only just checked back.
I think you are both correct!
Apologies to FW Team as I looked up the IP address and a TP Site stated 'Bogon' so started panicking a bit! Now knowing it is network assigned leads me to conclusion that James suggested as I had trouble with 'finding' my Time Machine on the Network around that time. I think I may have applied some over-zelous 'rules' to the Time Machine by 'restricting internet access' through Device Management and, given the TM is on a separate ethernet port on the FWG and Wireless access is turned off the device, perhaps I had promoted the TM to be assigned a local IP address that looked unusual (as above) and then my Mac backed up to it - hence the large transfer size.
During the process of trying to fix the network not being able to see the TM, I messed around (technical term) with the TM device and Group settings, even resorting to trying to plug the TM into one of my TP Link Deco WAPs and tryning to access it via Wifi instead of via my usual route of Mac-Netgear Ethernet Switch-FWG. It seems to have been backing up fine since then with no mysterious IP addresses. TM is back on FWG Port directly now.
My poorly educated guess is that a device (the TM) with 'Internet Access Block' via FWG may be assigned an unusual IP address as opposed something in the expected range - or perhaps it was a combination of this plus having my TM on a separate port. I did this primarily as a defence against the TM being accessed from internet. I may try the device restriction again to see what happens and report back if I have a similar IP address assigned.
Thanks again for your help folks.
Regards
Denzil
Please sign in to leave a comment.
Comments
3 comments