Dahua Cameras reaching out to China.

Discussion in 'Dahua' started by GenerallyZod, Jun 16, 2019.

Share This Page

  1. GenerallyZod

    GenerallyZod n3wb

    Joined:
    Jun 16, 2019
    Messages:
    3
    Likes Received:
    4
    Location:
    USA
    Both .51 and .52 are Dahua cameras, and they beacon to China regularly. (see attached)

    Anyone have more information on this?

    I would strongly advise blocking their egress on your routers or configure their IPs static with no default route.
    dahua_china.PNG
     

    Attached Files:

    mat200 likes this.
  2. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    1,725
    Likes Received:
    957
    Location:
    Houston Tx
    Where and from who did you buy the cameras ?
    Do you have uPNP enabled in your cameras or routes ?
    Who long have these cameras been up and running ?
    Are you using port forwarding to access the cameras from the internet ?
     
    mat200 likes this.
  3. Dramus

    Dramus Getting the hang of it

    Joined:
    May 7, 2019
    Messages:
    110
    Likes Received:
    62
    Location:
    New Jersey
    I wonder if they're checking for new firmware updates?

    OP: Is System -> Upgrade -> Auto-check for updates checked?

    I have that unchecked on my because I distrust auto-updates and have my cameras blocked from Internet access, anyway.
     
  4. mat200

    mat200 IPCT Contributor

    Joined:
    Jan 17, 2017
    Messages:
    4,461
    Likes Received:
    2,372
    Welcome @GenerallyZod

    Good to have you join us.

    Which models of cameras do you have?
     
  5. GenerallyZod

    GenerallyZod n3wb

    Joined:
    Jun 16, 2019
    Messages:
    3
    Likes Received:
    4
    Location:
    USA
    @mat200:

    Device Type
    IPC-HDBW4431R-ZS
    Software Version
    2.420.0000.21.R, Build Date: 2016-07-24
    WEB Version
    3.2.1.364036
    ONVIF Version
    2.42

    Device Type
    IPC-HDBW4433R-ZS
    System Version
    2.621.0000.28.R, Build Date: 2017-09-12
    WEB Version
    3.2.1.495007
    ONVIF Version
    16.12(V2.3.1.460928)


    @Dramus:
    Auto check for updates is not in the UI on either camera, guessing older firmware.

    @SouthernYankee:

    Where and from who did you buy the cameras ?
    USA / Amazon

    Do you have uPNP enabled in your cameras or routes ?
    Hell no :-D

    Who long have these cameras been up and running ?
    I think a couple of years

    Are you using port forwarding to access the cameras from the internet ?
    No. - Blue Iris.
     
    SouthernYankee and mat200 like this.
  6. mat200

    mat200 IPCT Contributor

    Joined:
    Jan 17, 2017
    Messages:
    4,461
    Likes Received:
    2,372
    Thanks @GenerallyZod

    Hmmm... Those appear to be Chinese market Dahua cameras.

    Very interesting.

    What software generated the graph? Wondering what else we can learn about the communication.

    I would try to inspect the packets and see what else we can learn. ( perhaps try wireshark or a similar packet inspection tool )
     
  7. GenerallyZod

    GenerallyZod n3wb

    Joined:
    Jun 16, 2019
    Messages:
    3
    Likes Received:
    4
    Location:
    USA
    The software is ElastiFlow (robcowart/elastiflow) built on ELK stack. Its a pig for resources, and of course netflow is a fairly steep network tax, but all in all worth it IMHO. Great software for analysis anyway.

    Yeah I agree... its time for some further investigation. I'll decode the packets and post my findings.... We will only see the part of the conversation as they can't actually get past my router. One of the servers they are trying to talk to is just a web server (NGINX welcome page.....). Let's hope its not trying to HTTP POST.
     
    mat200 likes this.
  8. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    1,725
    Likes Received:
    957
    Location:
    Houston Tx
    if you are using Blue Iris there is no need for the cameras to have access to the internet. Some routers allow for blocking of home network devices from accessing the internet. On the ASUS router you can use Parental controls to block MAC addresses. Other routers have different methods.

    You can set the cameras up on a different subnet and block them that way.

    The way I have my BI PC setup is with two nic cards. One for the home network and one for a camera only network. This physically separates the cameras from the home network.
     
  9. Mike A.

    Mike A. Getting comfortable

    Joined:
    May 6, 2017
    Messages:
    424
    Likes Received:
    249
    Check that you don't have the P2P/EZ4IP checked on. But even with it off some of the older Dahua firmware around that time was known to phone home and otherwise try to make connections regardless of user settings. e.g., see:

    Dahua Starlight IPC-HDW5231RN-Z not working :(
    Could there be virus in cheap Chinese IP cams?

    Should be fixed in later firmware but I still wouldn't trust any of them. Block access and wall them off to the extent that you can.
     
  10. VorlonFrog

    VorlonFrog Known around here

    Joined:
    Aug 3, 2015
    Messages:
    999
    Likes Received:
    589
    Location:
    Charlotte
    Some of the lower-end Chinese no-name cameras were found to be hardcoding DNS IP addresses in their firmware, precisely to work around intentionally entering no or an invalid DNS IP address. If they're going to work that hard to get out, I'm blocking every last one of them from accessing the net, even Dahua and Hikvision cameras. Mega-thanks to Asus-WRT and Merlin for this entirely useful feature.
     
    SouthernYankee and EMPIRETECANDY like this.
  11. EMPIRETECANDY

    EMPIRETECANDY IPCT Vendor

    Joined:
    Nov 8, 2016
    Messages:
    2,697
    Likes Received:
    4,919
    Location:
    HONGKONG
    The camera you are using is hacked from Chinese market cams, actually speaking, US models or international models has much higher standard than the cams at Chinese market. Or else they can't sell all over the world.
     
  12. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    10,890
    Likes Received:
    3,416
    Location:
    Scotland
    Another is a Windows file server offering RPC services.
     
    mat200 and EMPIRETECANDY like this.