I picked up a few additional security cameras to add to my Zoneminder Camera system. As a rule I always block Internet access to client devices unless they need it. Right after installing the new cameras I noticed a spike in dropped packets on my camera IP reservation range. Since none of the exiting camera every try to connect out except for NTP it sparked my interest so I did a bit of logging. Apparently about every 30-45 seconds they try to reach out to 3 IPs on Amazon AWS. The data being sent out is the same in each frame. People wonder why I don't trust IoT devices (or any device really). It makes me think of this recent one issue: Backdoor in MVPower DVR Firmware Sends CCTV Stills to an Email Address in China
Anyone have an idea WTF this camera is trying to do?
sodium@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.247
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:49:22.673693 IP 192.168.1.247.14182 > ec2-54-86-23-37.compute-1.amazonaws.com.32100: UDP, length 48
22:49:22.673873 IP 192.168.1.247.14182 > ec2-54-72-248-104.eu-west-1.compute.amazonaws.com.32100: UDP, length 48
22:49:22.673947 IP 192.168.1.247.14182 > ec2-54-179-151-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 48
22:49:27.676726 ARP, Request who-has 192.168.1.1 tell 192.168.1.247, length 46
22:49:27.676856 ARP, Reply 192.168.1.1 is-at 24:a4:3c:05:e5:d4 (oui Unknown), length 28
22:50:02.745542 IP 192.168.1.247.14182 > ec2-54-86-23-37.compute-1.amazonaws.com.32100: UDP, length 48
22:50:02.745690 IP 192.168.1.247.14182 > ec2-54-72-248-104.eu-west-1.compute.amazonaws.com.32100: UDP, length 48
22:50:02.745771 IP 192.168.1.247.14182 > ec2-54-179-151-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 48
22:50:07.747131 ARP, Request who-has 192.168.1.1 tell 192.168.1.247, length 46
22:50:07.747270 ARP, Reply 192.168.1.1 is-at 24:a4:3c:05:e5:d4 (oui Unknown), length 28
Frame 1: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: Shenzhen_24:49:48 (ec:71:db:24:49:48), Dst: Ubiquiti_05:e5:d4 (24:a4:3c:05:e5:d4)
Internet Protocol Version 4, Src: 192.168.1.247, Dst: 54.86.23.37
User Datagram Protocol, Src Port: 14182 (14182), Dst Port: 32100 (32100)
Data (48 bytes)
24a43c05e5d4ec71db24494808004500004c0000400040112a87c0a801f73656172537667d6400383561f112002c267934c478aeb28842ef3b9223f082b6f82f2d72decd664fc8a070f75c9e90c4de59b27c0fce60f6498d8b79
24a43c05e5d4ec71db24494808004500004c0000400040114951c0a801f73648f86837667d640038542bf112002c267934c478aeb28842ef3b9223f082b6f82f2d72decd664fc8a070f75c9e90c4de59b27c0fce60f6498d8b79
Anyone have an idea WTF this camera is trying to do?
sodium@EdgeRouter:~$ sudo tcpdump -i eth0 host 192.168.1.247
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:49:22.673693 IP 192.168.1.247.14182 > ec2-54-86-23-37.compute-1.amazonaws.com.32100: UDP, length 48
22:49:22.673873 IP 192.168.1.247.14182 > ec2-54-72-248-104.eu-west-1.compute.amazonaws.com.32100: UDP, length 48
22:49:22.673947 IP 192.168.1.247.14182 > ec2-54-179-151-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 48
22:49:27.676726 ARP, Request who-has 192.168.1.1 tell 192.168.1.247, length 46
22:49:27.676856 ARP, Reply 192.168.1.1 is-at 24:a4:3c:05:e5:d4 (oui Unknown), length 28
22:50:02.745542 IP 192.168.1.247.14182 > ec2-54-86-23-37.compute-1.amazonaws.com.32100: UDP, length 48
22:50:02.745690 IP 192.168.1.247.14182 > ec2-54-72-248-104.eu-west-1.compute.amazonaws.com.32100: UDP, length 48
22:50:02.745771 IP 192.168.1.247.14182 > ec2-54-179-151-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 48
22:50:07.747131 ARP, Request who-has 192.168.1.1 tell 192.168.1.247, length 46
22:50:07.747270 ARP, Reply 192.168.1.1 is-at 24:a4:3c:05:e5:d4 (oui Unknown), length 28
Frame 1: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: Shenzhen_24:49:48 (ec:71:db:24:49:48), Dst: Ubiquiti_05:e5:d4 (24:a4:3c:05:e5:d4)
Internet Protocol Version 4, Src: 192.168.1.247, Dst: 54.86.23.37
User Datagram Protocol, Src Port: 14182 (14182), Dst Port: 32100 (32100)
Data (48 bytes)
24a43c05e5d4ec71db24494808004500004c0000400040112a87c0a801f73656172537667d6400383561f112002c267934c478aeb28842ef3b9223f082b6f82f2d72decd664fc8a070f75c9e90c4de59b27c0fce60f6498d8b79
24a43c05e5d4ec71db24494808004500004c0000400040114951c0a801f73648f86837667d640038542bf112002c267934c478aeb28842ef3b9223f082b6f82f2d72decd664fc8a070f75c9e90c4de59b27c0fce60f6498d8b79