Multiple Dahua locations trying to gain access to NVR

Nick70068 · 2024-09-28T12:18:52-0400

I installed a new network security appliance (Firewalla) and in a short time I noticed multiple Dahua locations from America, Germany, Japan, Russia( malicous site) and Singapore trying to gain access to the NVR. And of course there were numerous

Is there any reason Dahua is access the NVR?

Attached are several Firewalla triggered alarms displaying the access.

BTW, system is a DHI NVR5208-8p-4ks2e (V4.002.0000007.R, Build Date 2024.07.17)

steve1225 · 2024-09-28T12:34:17-0400

Many questions:

have You open port to NVR on router?
have You enabled P2P on NVR (network -> p2p)?
have You enabled uPnP on NVR (network -> uPnP)?

Can You tell from firewall logs on which port numbers (source & destination) and which protocol (tcp, udp) those transmissions were done?
this will allow to specify method used to those attacks..

Nick70068 · 2024-09-28T12:41:15-0400

There is the standard P2P enabled for remote viewing, with a very strong password.

steve1225 · 2024-09-28T12:42:32-0400

Nick70068 said:
There is the standard P2P enabled for remote viewing, with a very strong password.

what with other my questions?

Nick70068 · 2024-09-28T14:01:25-0400

Can You tell from firewall logs on which port numbers (source & destination) and which protocol (tcp, udp) those transmissions were done?
this will allow to specify method used to those attacks..

Yes, I have the standard 37777 port open for remote viewing and of course port 80 for webviewer.
No UPnP ports open

Firewall can't give me the port numbers or if it was tcp,udp protocol.

Like Quote Reply

Report

steve1225 · 2024-09-28T14:06:28-0400

Nick70068 said:
Yes, I have the standard 37777 port open for remote viewing and of course port 80 for webviewer.
No UPnP ports open

Man, You opened both NVR ports to full internet and then you complain that the entire internet are trying to connect to it

Congratulations

there are millions of internet crawlers which try to connect to each ip address and each port..
to check which services is open to public & can be hacked...
millions cams were hacked that way..

There are public website with databases of open services & ports...
Check:

https://www.shodan.io/search?query=dahua

Almost milion opened Dahua cams & NVRs...

Disable opened ports & migrate to VPN..
Or if VPN is too difficult You can use Dahua P2P as much more secure option comparing to opened ports..

Nick70068 · 2024-09-28T14:19:32-0400

Which port needs to open for P2P?

looney2ns · 2024-09-28T14:25:29-0400

Nick70068 said:
Which port needs to open for P2P?

None of them. That's the point in using P2P, avoiding the need to open ports.

How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

Nick70068 · 2024-09-28T14:31:04-0400

I thought P2P still required an open port? If not how does it penetrate the router/firewall?

steve1225 · 2024-09-28T14:42:17-0400

Nick70068 said:
I thought P2P still required an open port? If not how does it penetrate the router/firewall?

in P2P mode cam / NVR have non stop opened connection (but no open port) to stun / proxy server..
Clients (DMSS) informs NVR that want to connect using this proxy server.
If NVR accept that connections, both NVR & clients do 'UDP hole punching' on firewalls on both ends, get from stun server own public ip/port combination, informs
second end about its public ip & ports using proxy server and start stable UDP connection over those created UDP holes...

Process is very technical - but is used by most voice/video real transmission apps, WebRTC clients, torrent clients, some games...
Big plus - there is no open 24/7 port.. there is one hole punched UDP port, but it's open only at time of connection.

UDP hole punching - Wikipedia

en.wikipedia.org

STUN - Wikipedia

en.wikipedia.org

looney2ns · 2024-09-28T14:46:51-0400

Nick70068 said:
I thought P2P still required an open port? If not how does it penetrate the router/firewall?

Nope, by tunneling a UDP connection.

Nick70068 · 2024-09-28T14:47:49-0400

Thank you for the explanation. I disabled all port forwarding on my main ISP router. I did a open port scan from my public IP address side and everything looks closed now.

I still like to know why Dahua from multiple locations are accessing the NVR.

Nick70068 · 2024-09-28T14:48:41-0400

If this doesn't prevent accessing, I guess I will have to setup Wireguard VPN on everything.

looney2ns · 2024-09-28T14:56:07-0400

Nick70068 said:
Thank you for the explanation. I disabled all port forwarding on my main ISP router. I did a open port scan from my public IP address side and everything looks closed now.

I still like to know why Dahua from multiple locations are accessing the NVR.

The way I read those warnings is that it is telling you what device is being hit on your network.
Not that it's Dahua doing the connection from the outside.

steve1225 · 2024-09-28T14:57:24-0400

Nick70068 said:
Thank you for the explanation. I disabled all port forwarding on my main ISP router. I did a open port scan from my public IP address side and everything looks closed now.

I still like to know why Dahua from multiple locations are accessing the NVR.

In P2P mode, Dahua cam or NVR will have 2 UDP connections with 2 IP addresses.
One is for stun / proxy server (which is required for P2P work and which is easy to debug because it is using open text protocol encapsulated in UDP).
Second is bigger mistery - it's encoded. But probably it is connection to notification servers, which are used to send notifications to mobiles.

Also if You use NTP time synchronization, there is third cyclic UDP connection with time server.

If you totally paranoid, you can disable P2P and use VPN.
I disable P2P on all cams, but I enable P2P on all NVRs and intercoms to have normal connection without VPN on clients (DMSS, SmartPSS).
Never had problems. And never found any strange connections in P2P mode and I use more advanced options on firewall.
Many times in history I debugged connection done by Dahua cams / NVR using tcpdump / Wireshark.

steve1225 · 2024-09-28T14:59:10-0400

looney2ns said:
The way I read those warnings is that it is telling you what device is being hit on your network.
Not that it's Dahua doing the connection from the outside.

yes, if there were opened ports on router in past then for many days / weeks / months there will be more tries to connect with those ports..
those public ip and port combinations are in many public opened port databases..

bigredfish · 2024-09-28T15:02:38-0400

Your open ports on your router were the main culprit.

Dahua P2P does ping various servers on their cloud, thats what makes P2P work. Its not a problem as described above

With the firewall appliance you're just seeing it for the first time

Nick70068 · 2024-09-28T15:10:14-0400

Okay, thanks for the explanation.

bigredfish · 2024-09-28T15:12:06-0400

Like @steve1225 I disable P2P on the cameras themselves, but turn it on at the NVR.

The P2P connections you'll see repeated every couple of minutes as it keeps touch with the P2P cloud servers and looks for push messages and/or video connections.

Notice on mine you also see the connections to my mail server host

Like this

bigredfish · 2024-09-28T15:28:45-0400

People who have never seen a firewall output with IPS would be amazed how many servers your Samsung Smart TV talks to and how often.

Search

Multiple Dahua locations trying to gain access to NVR

Nick70068

Getting the hang of it

Attachments

steve1225

Nick70068

Getting the hang of it

steve1225

Nick70068

Getting the hang of it

steve1225

Nick70068

Getting the hang of it

looney2ns

Nick70068

Getting the hang of it

steve1225

UDP hole punching - Wikipedia

STUN - Wikipedia

looney2ns

Nick70068

Getting the hang of it

Nick70068

Getting the hang of it

looney2ns

steve1225

steve1225

bigredfish

Known around here

Nick70068

Getting the hang of it

bigredfish

Known around here

bigredfish

Known around here