Dahua Cameras reaching out to China.

[GenerallyZod]

Both .51 and .52 are Dahua cameras, and they beacon to China regularly. (see attached)

Anyone have more information on this?

I would strongly advise blocking their egress on your routers or configure their IPs static with no default route.

 

[SouthernYankee]

Where and from who did you buy the cameras ?
Do you have uPNP enabled in your cameras or routes ?
Who long have these cameras been up and running ?
Are you using port forwarding to access the cameras from the internet ?

 

[Dramus]

I wonder if they're checking for new firmware updates?

OP: Is System -> Upgrade -> Auto-check for updates checked?

I have that unchecked on my because I distrust auto-updates and have my cameras blocked from Internet access, anyway.

 

[mat200]

Both .51 and .52 are Dahua cameras, and they beacon to China regularly. (see attached)

Anyone have more information on this?

I would strongly advise blocking their egress on your routers or configure their IPs static with no default route.
View attachment 43552

Welcome @GenerallyZod

Good to have you join us.

Which models of cameras do you have?

 

[GenerallyZod]

@mat200:

Device Type
IPC-HDBW4431R-ZS
Software Version
2.420.0000.21.R, Build Date: 2016-07-24
WEB Version
3.2.1.364036
ONVIF Version
2.42

Device Type
IPC-HDBW4433R-ZS
System Version
2.621.0000.28.R, Build Date: 2017-09-12
WEB Version
3.2.1.495007
ONVIF Version
16.12(V2.3.1.460928)


@Dramus:
Auto check for updates is not in the UI on either camera, guessing older firmware.

@SouthernYankee:

Where and from who did you buy the cameras ?
USA / Amazon

Do you have uPNP enabled in your cameras or routes ?
Hell no :-D

Who long have these cameras been up and running ?
I think a couple of years

Are you using port forwarding to access the cameras from the internet ?
No. - Blue Iris.

 

[mat200]

@mat200:

Device Type
IPC-HDBW4431R-ZS
Software Version
2.420.0000.21.R, Build Date: 2016-07-24
WEB Version
3.2.1.364036
ONVIF Version
2.42

Device Type
IPC-HDBW4433R-ZS
System Version
2.621.0000.28.R, Build Date: 2017-09-12
WEB Version
3.2.1.495007
ONVIF Version
16.12(V2.3.1.460928)


@Dramus:
Auto check for updates is not in the UI on either camera, guessing older firmware.

@SouthernYankee:

Where and from who did you buy the cameras ?
USA / Amazon

Do you have uPNP enabled in your cameras or routes ?
Hell no :-D

Who long have these cameras been up and running ?
I think a couple of years

Are you using port forwarding to access the cameras from the internet ?
No. - Blue Iris.

Thanks @GenerallyZod

Hmmm... Those appear to be Chinese market Dahua cameras.

Very interesting.

What software generated the graph? Wondering what else we can learn about the communication.

I would try to inspect the packets and see what else we can learn. ( perhaps try wireshark or a similar packet inspection tool )

 

[GenerallyZod]

The software is ElastiFlow (robcowart/elastiflow) built on ELK stack. Its a pig for resources, and of course netflow is a fairly steep network tax, but all in all worth it IMHO. Great software for analysis anyway.

Yeah I agree... its time for some further investigation. I'll decode the packets and post my findings.... We will only see the part of the conversation as they can't actually get past my router. One of the servers they are trying to talk to is just a web server (NGINX welcome page.....). Let's hope its not trying to HTTP POST.

 

[SouthernYankee]

if you are using Blue Iris there is no need for the cameras to have access to the internet. Some routers allow for blocking of home network devices from accessing the internet. On the ASUS router you can use Parental controls to block MAC addresses. Other routers have different methods.

You can set the cameras up on a different subnet and block them that way.

The way I have my BI PC setup is with two nic cards. One for the home network and one for a camera only network. This physically separates the cameras from the home network.

 

[Mike A.]

@mat200:

Device Type
IPC-HDBW4431R-ZS
Software Version
2.420.0000.21.R, Build Date: 2016-07-24
WEB Version
3.2.1.364036
ONVIF Version
2.42

Device Type
IPC-HDBW4433R-ZS
System Version
2.621.0000.28.R, Build Date: 2017-09-12
WEB Version
3.2.1.495007
ONVIF Version
16.12(V2.3.1.460928)

Check that you don't have the P2P/EZ4IP checked on. But even with it off some of the older Dahua firmware around that time was known to phone home and otherwise try to make connections regardless of user settings. e.g., see:

Dahua Starlight IPC-HDW5231RN-Z not working :(
Could there be virus in cheap Chinese IP cams?

Should be fixed in later firmware but I still wouldn't trust any of them. Block access and wall them off to the extent that you can.

 

[VorlonFrog]

Some of the lower-end Chinese no-name cameras were found to be hardcoding DNS IP addresses in their firmware, precisely to work around intentionally entering no or an invalid DNS IP address. If they're going to work that hard to get out, I'm blocking every last one of them from accessing the net, even Dahua and Hikvision cameras. Mega-thanks to Asus-WRT and Merlin for this entirely useful feature.

 

[EMPIRETECANDY]

The camera you are using is hacked from Chinese market cams, actually speaking, US models or international models has much higher standard than the cams at Chinese market. Or else they can't sell all over the world.

 

[alastairstevenson]

One of the servers they are trying to talk to is just a web server

Another is a Windows file server offering RPC services.