Blue Iris Chewing Through Bandwidth

So I recently got popped last month by my ISP for using double my allotted data for the month. After looking around and seeing other threads about this that essentially went unsolved or unreported as solved, I dug in deeper. What I found I can barely explain, but I'm wondering if its a security flaw. Im by no means an IT guy but I do have a decent home lab setup. I have an EdgeRouter 4, 24 port PoE Edgeswitch, a large media server that doubles as a Blue Iris machine and 4 UBNT UVC-G3 cameras. I looked into my bandwidth because Xfinity notofied me and Norton also did so requesting that I run their Power Eraser software due to abnormal amounts of outbound traffic. Kept digging and found that IP addresses from all over the world are logging into my Blue Iris web server and streaming my cameras. I'm obviously just looking for a solution so I can still use BI and not go over my data cap...and I do realize when nobody is viewing the feeds, it uses no bandwidth. I'll try to attach a couple screen shots of the switch, showing almost 40 Mbps at idle on port 3 for the camera server activity, and the log with one entry with a Polish IP address. Last week it was a Chinese IP address. I'm hoping someone can help me identify the problem. If I kill BI the bandwidth goes down to normal 5 Mbps with a video stream or two playing. They are logging in the web server and only being identified as "Server" with no credentials in the logs.

If you are not using a VNP-enabled router (or VPN running on server) and have a port or ports forwarded in your router (or uPNP is enabled in the router and/or cameras), then it's highly likely your network has been breached and as you have discovered, your cameras are streaming to somewhere.

Also....Under BI's "users", you don't have "anonymous" enabled, do you?

I do not have an "anonymous" under users. Only myself, my wife, and my mother with check marks next to them. I unchecked the "local_console" account for now trying to determine if that was how they were getting in, but it made no difference. Are you positive the Users tab is where anonymous is located? Seems like a strange username, unless I'm missing something.

rocky_mtn said:

So I recently got popped last month by my ISP for using double my allotted data for the month. After looking around and seeing other threads about this that essentially went unsolved or unreported as solved, I dug in deeper. What I found I can barely explain, but I'm wondering if its a security flaw. Im by no means an IT guy but I do have a decent home lab setup. I have an EdgeRouter 4, 24 port PoE Edgeswitch, a large media server that doubles as a Blue Iris machine and 4 UBNT UVC-G3 cameras. I looked into my bandwidth because Xfinity notofied me and Norton also did so requesting that I run their Power Eraser software due to abnormal amounts of outbound traffic. Kept digging and found that IP addresses from all over the world are logging into my Blue Iris web server and streaming my cameras. I'm obviously just looking for a solution so I can still use BI and not go over my data cap...and I do realize when nobody is viewing the feeds, it uses no bandwidth. I'll try to attach a couple screen shots of the switch, showing almost 40 Mbps at idle on port 3 for the camera server activity, and the log with one entry with a Polish IP address. Last week it was a Chinese IP address. I'm hoping someone can help me identify the problem. If I kill BI the bandwidth goes down to normal 5 Mbps with a video stream or two playing. They are logging in the web server and only being identified as "Server" with no credentials in the logs.

View attachment 41000
View attachment 41001
View attachment 41002

Click to expand...

To clarify, there is no other thread where any user have reported that others are actually viewing their cameras. Most of the time its simply an ip hitting the webpage, which is normal if you port forward. Post the images of the log showing the connection. Are you using cloud cameras like nest in addition to the g3? Are your cameras local to your network?

Anonymous user accounts happen if require from "no connections", or "non-lan connections" is selected in advanced tab of web server options in main console menu. It should be set to all connections and additionally you can whitelist the ip range or add specific addresses that should be allowed to log in with correct username and password (authentication), and all else will be denied the ability to try logging in. I use my subnet range, verizon mobile subnet range and my wan ip.

My cameras are local to my network, all UVC-G3 UBNT cams. I posted the log entry above, but have plenty more where that came from. If you look at the bottom of my first post, it shows first my routers DPI deep packet inspection graph showing way abnormal bandwidth. Second is a screenshot of the port on my switch showing actual bandwidth being transmitted, and last is the log entry for the most recent connection to the webserver with an IP in Poland. The "other threads" I was referring to were actually unsolved bandwidth usage threads that the user probably didn't look into this as deeply as I have or had the tools to do so. My guess is they just pulled the software down or lived with their streams being sent across seas...Not trying to be snarky but, make no mistake, my network has been breached using the Blue Iris web server.

lifeatredline said:

Anonymous user accounts happen if require from "no connections", or "non-lan connections" is selected in advanced tab of web server options in main console menu. It should be set to all connections and additionally you can whitelist the ip range or add specific addresses that should be allowed to log in with correct username and password (authentication), and all else will be denied the ability to try logging in. I use my subnet range, verizon mobile subnet range and my wan ip.

Click to expand...

So here is my screenshot. Looks like it's in the web server tab. Mines blank. I probably have something setup wrong, but I just need to get to the bottom of it. I'm not blaming Blue Iris whatsoever...FWIW, I don't remember ever changing ANY settings on this page, but it appears some stuff is set different than the default config.

Technically I have 3 users, myself, my wife, and my mother. My wife I could setup our local subnet, our WAN, and Sprint subnet...but how will that change if I'm on my work wifi, or my wife is at the doctors office on their wifi. It just won't let us in and we have to switch to mobile data to view the cams? If thats what it takes, so be it. I just gotta get these random peeps off my network sniffing around. Oh and my mom is technically the only user that uses the web server. My wife and I both use the app. But my mom lives hundreds of miles away...if that matters any.

rocky_mtn said:

My cameras are local to my network, all UVC-G3 UBNT cams. I posted the log entry above, but have plenty more where that came from. If you look at the bottom of my first post, it shows first my routers DPI deep packet inspection graph showing way abnormal bandwidth. Second is a screenshot of the port on my switch showing actual bandwidth being transmitted, and last is the log entry for the most recent connection to the webserver with an IP in Poland. The "other threads" I was referring to were actually unsolved bandwidth usage threads that the user probably didn't look into this as deeply as I have or had the tools to do so. My guess is they just pulled the software down or lived with their streams being sent across seas...Not trying to be snarky but, make no mistake, my network has been breached using the Blue Iris web server.

Click to expand...

Highly doubt it. There is no log entry posted above as its incomplete. The other threads you mention usually revolve around users who have cloud cameras or remote cameras.
Lots of folks make improper assumptions like you have .

If you look at the actual log you will see the connection times as well as the frames sent. No one in poland or china is streaming your feed 24/7, you are not that interesting.

It's a screenshot of the remote login showing a Polish IP address in my very first post. It's not an attachment. My cameras are local, store video here, and don't send data anywhere unless someone is requesting it, via the web server. Is there anything else I can provide to help get to the bottom of this, as I don't wanna make the fenderman mad...I just want help, that's all. Sorry if I came across in a rude way, it's hard to tell ones demeanor reading text. I didn't intend to sound confrontational if I did. My apologies.

rocky_mtn said:

It's a screenshot of the remote login showing a Polish IP address in my very first post. It's not an attachment. My cameras are local, store video here, and don't send data anywhere unless someone is requesting it, via the web server. Is there anything else I can provide to help get to the bottom of this, as I don't wanna make the fenderman mad...I just want help, that's all. Sorry if I came across in a rude way, it's hard to tell ones demeanor reading text. I didn't intend to sound confrontational if I did. My apologies.

Click to expand...

See above its a NOT a log. If you look at the actual log ..If you look at the actual log you will see the connection times as well as the frames sent. No one in poland or china is streaming your feed 24/7, you are not that interesting. Your connection was not hacked.

Netherlands, China, it goes on and on

rocky_mtn said:

View attachment 41004

Click to expand...

click on the connection tab in blue iris status. So you can see the connection log with the info above. What you have posted is meaningless, any time anyone lands on the login page it will show the ip and connected.

rocky_mtn said:

View attachment 41005

Netherlands, China, it goes on and on

Click to expand...

again completely meaningless and normal particularly if you are using a common port.

Fair enough, well now the connections tab is blank because I pulled the server when I found this activity. I'll give it some time and post back when something pops up.Thanks @fenderman =)

How do you have things set up in your router so that you can stream from BI yourself when not on your LAN? If you are simply port forwarding the default server port 80, you are just asking for everyone in the world to come and check out your server...

Also, how much time do you spend watching your cams from outside yourself?
I had a desktop at my office pulling the UI2 (at the time) page full-time for a month or two before i realized it was blowing out my usage quota...

I only watch a very few times throughout the day on the app. I can concur that I was inviting trouble using port 80 apparently. I've changed the port and it looks like in the connections tab there were never any unknown connections with any "time" or "frames" logged in. That said, I still have a problem going on that I have to get to the bottom of. It's a mystery at this point unless my Unifi cams are phoning home or something. I've managed to drop the data on port 3 of my switch down below 30 Mbps which is my server machine and BI PC, but it's wigging me out how when I kill the BI software process the bandwidth drops to less than 5 Mbps and into the 100's of Kbps if I'm not streaming any media. There's something going on with this main server PC that's not adding up. My cameras on ports 13-16 are pretty much constant at 6.6 Mbps receive and 120 Kbps transmit at any given time with no jumps or spikes which sounds normal. It's just the machine running BI spiking and diving according to whether the software of running or not. Very weird...I'm about to let it rest for the night, but I'm always open to suggestions. I also setup my IP's as @lifeatredline suggested to further lock it down. I'll just have to make my wife and mom aware that if they can't access it from the WiFi they're on, they'll have to switch to mobile data to login...which is kind of a bugger, but it is what it is. I'll probably dig into firewall rules and VLAN stuff off when I have time this weekend, which should have been done in the first place when I set this system up. Shame on me...Thanks for everyones input.

If I'm understanding what you said correctly, your cameras are streaming when blue iris is not running? If you close blue iris (console if not running as a service, or terminate in task manager if running as service) then your cameras should not be streaming any data across the switch. It is normal for network traffic to increase by the data stream size of your cameras when you run blue iris, as it requests the video streams from the cameras and that data will move across your network through your switch, but not your router unless you are remote viewing with the bi app or ui3 interface from outside your network and the data will be less than what moves on the local network. Your description of what's happening makes me think your cameras are streaming video to somewhere aside from blue iris, and then you see additional local network traffic when you start blue iris and it requests video streams. If you have not set up for streaming aside from blue iris you need to check your camera config in the camera admins. And possibly ban the cameras from internet access in the router if they are in fact streaming direct somewhere outside your network.