Dahua IP Camera UDP traffic

[xLaurentp]

Hi,

I am checking whether anybody seeing UDP (Ports 8810 to 8815) traffic to IP Address 47.74.155.50? I am using Sophos XG firewall and I can see both my Dahua IP Cameras showing UDP traffic to that IP Address. I have currently dropped all traffic to the IP Address on the Firewall. I have disabled P2P, Bonjour, DDNS on the Cams. NTP uses port 123 which i can see on the firewall logs to the NTP server. I am not able to figure out this. Maybe someone in the community is able to figure out what is it?

All Ports used are default as shown and IP Cams are hook up to DaHua DHI-NVR2104-4KS2. I have no apps or other recorders connecting to the IP Cams direct.


Thanks.

 

[alastairstevenson]

I have disabled P2P, Bonjour, DDNS on the Cams. NTP uses port 123 which i can see on the firewall logs to the NTP server.

Maybe check if you have the 'Auto check for updates' option set under the System | Upgrade menu.
Though that seems to use TCP.

 

[SyconsciousAu]

Chinese cameras phone home, hence why mine are banned from the internet. I don't remember ports and IP because I turned off the log on that firewall rule because it was seeing so much activity.

 

[MyDaHua]

I have 2 Dahua EZIP camera in LAN and I see no UDP traffic at all ( I disabled all services including multicast with ONVIF exception ) and all cameras are allowed to talk only in LAN.
For safety I made a suricata cutom rule to drop traffic from camera IP going to wan:

 

[xLaurentp]

Maybe check if you have the 'Auto check for updates' option set under the System | Upgrade menu.
Though that seems to use TCP.

Auto updates are disabled on both Cams. Now I just did a factory default reset and reconfigured both Cams and now it stopped showing any unintended traffic out of the WAN.

I have 2 Dahua EZIP camera in LAN and I see no UDP traffic at all ( I disabled all services including multicast with ONVIF exception ) and all cameras are allowed to talk only in LAN.
For safety I made a suricata cutom rule to drop traffic from camera IP going to wan:

Thanks for the suggestion, I will make a rule too.

 

[Shockwave199]

You should also change those TCP/UDP ports from their defaults. Regardless, I never leave the ports at default.

 

[Paranoid_Loyd]

Yes, I see the same thing. I checked my DNS lookups from mu camera VLAN and have these:
amcrestview.com
dh.amcrestsecurity.com
update.easyviewercloud.com

They appear to be checking for updates. However, if some state-sponsored group wanted to launch an attack from within, this would be a great way to set it up. My hosts beacon every 4-5 minutes.
I'm going through them now to remove auto update, phone-home, etc.

 

[mikeynags]

Did you buy from Alibaba? Checkout the WHOIS info for that IP below.

NetRange: 47.74.0.0 - 47.87.255.255
CIDR: 47.76.0.0/14, 47.80.0.0/13, 47.74.0.0/15
NetName: AL-3
NetHandle: NET-47-74-0-0-1
Parent: NET47 (NET-47-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Alibaba.com LLC (AL-3)
RegDate: 2016-03-17
Updated: 2017-04-26
Ref:

https://rdap.arin.net/registry/ip/47.74.0.0

OrgName: Alibaba.com LLC
OrgId: AL-3
Address: 400 S El Camino Real, Suite 400
City: San Mateo
StateProv: CA
PostalCode: 94402
Country: US
RegDate: 2010-10-29
Updated: 2017-06-16
Comment: 1.For AliCloud IPR Infringement and Abuse Claim, please use below link with browser to report: IPR Infringement and Abuse Claim - Alibaba Cloud
Comment: