[SOLVED] Unidentified traffic on network interface

irrexp · 2025-05-22 07:07:26

After having been very loose with the security of my system I started to monitor the traffic with iftop, which I never did before.

I noticed that on my network interface (wired) I constantly have these two addresses sending packets to all-systems.mcast.net:
- 52.132.2.42 (whois says it belongs to Microsoft - a real bummer in itself)
- node-81s.pool-1.1.dynamic.totinternet.net

This happens even when nothing is running but a terminal and after I stop all services I can think of.

Could someone be kind enough to explain me what that is and what actions are required, if any?

Last edited by irrexp (2025-05-25 09:11:22)

cryptearth · 2025-05-22 07:25:19

you can use

sudo lsof -i

to get which process opens these connections

// edit

the M$ ip also comes up in combination with Minecraft - so it's likely the authentication uplink when playing Minecraft

the other one seems some issue with 192.168.1.1 been presented backwards as 1.1.168.192 - hints to some network / dns issue

Last edited by cryptearth (2025-05-22 07:31:35)

irrexp · 2025-05-22 09:55:58

Interesting. I've been triggering lsof -i whenever the two addresses showed up in iftop

Noticed on the occasion that they appear concomitantly. It seems that mdns is involved as suggested.

systemd-r 3264 systemd-resolve 11u  IPv4  34393      0t0  UDP *:llmnr
systemd-r 3264 systemd-resolve 12u  IPv4  34394      0t0  TCP *:llmnr (LISTEN)
systemd-r 3264 systemd-resolve 13u  IPv6  34401      0t0  UDP *:llmnr
systemd-r 3264 systemd-resolve 14u  IPv6  34402      0t0  TCP *:llmnr (LISTEN)
systemd-r 3264 systemd-resolve 15u  IPv4  34403      0t0  UDP *:mdns
systemd-r 3264 systemd-resolve 16u  IPv6  34404      0t0  UDP *:mdns
systemd-r 3264 systemd-resolve 22u  IPv4  34409      0t0  UDP _localdnsstub:domain
systemd-r 3264 systemd-resolve 23u  IPv4  34410      0t0  TCP _localdnsstub:domain (LISTEN)
systemd-r 3264 systemd-resolve 24u  IPv4  34411      0t0  UDP _localdnsproxy:domain
systemd-r 3264 systemd-resolve 25u  IPv4  34412      0t0  TCP _localdnsproxy:domain (LISTEN)

Now I started running iftop on other machines on my network and I noticed that the same IP also appears but together with a slightly different domain (node-81s.pool-1.1.dynamic.nt-isp.net) on a Debian machine where it is the the avahi-daemon that is involved (so again mdns).

Does the plot thicken?

I guess my question now becomes: what does an IP address belonging to M$ (or related to Minecraft, which I do not play) have to do with multicast dns on my local network?

Last edited by irrexp (2025-05-22 10:05:23)

teckk · 2025-05-22 20:05:27

Another tool that I just noticed recently.

lsfd -J | less

cryptearth · 2025-05-22 21:21:54

well - if we apply that somethings being backwards and ignore the spacing we would end up with something 242.x.y.z - but this is in an unusable space even above the multicast range between 224.0.0.0 - 239.255.255.255
so whatever this is it seems likely something mdns related
have you tried to just disable mdns and instead use upstream dns through your router?

Last edited by cryptearth (2025-05-22 21:23:42)

irrexp · 2025-05-23 18:49:56

teckk wrote:

Another tool that I just noticed recently.
lsfd -J | less

cool, thx

cryptearth wrote:

have you tried to just disable mdns and instead use upstream dns through your router?

I now edited resolved.conf with

MulticastDNS=no
LLMNR=no
DNSStubListener=no

After stop/start systemd-resolved.conf the two initial addresses still appear in iftop although lsof -i only gives

systemd-n 395 systemd-network 34u IPv4   6301    0t0   UDP myhostname:bootpc

-thc · 2025-05-24 06:17:32

Maybe you're chasing ghosts here.

irrexp wrote:

I noticed that on my network interface (wired) I constantly have these two addresses sending packets to all-systems.mcast.net

I presume you see something like this in iftop:

52.132.2.42                                                                                      => all-systems.mcast.net
node-81s.pool-1.1.dynamic.totinternet.net                                                        => all-systems.mcast.net

This means your system is receiving those packages because your system accepts multicast packets addressed to 224.0.0.1 (all-systems.mcast.net).
The source of those packets is outside of your system.

irrexp · 2025-05-24 17:41:24

-thc wrote:

Maybe you're chasing ghosts here.

It certainly looks like it

-thc wrote:

I presume you see something like this in iftop:
52.132.2.42                                                                                      => all-systems.mcast.net
node-81s.pool-1.1.dynamic.totinternet.net                                                        => all-systems.mcast.net
This means your system is receiving those packages because your system accepts multicast packets addressed to 224.0.0.1 (all-systems.mcast.net).
The source of those packets is outside of your system.

It is exactly what I see and you are totally right. The confusion came from the fact that most of the traffic looks like this:

hostname => outside IP
<=

which suggests that the left column is for outgoing traffic from hostname while the arrow pointing left rather shows the packets received by the local machine.

But that is not the case and passing the -n argument to iftop allowed me to see more clearly what's going on with the IP addresses, all dns issues aside

While most of the traffic goes back and forth between my local IP and the outside world, the two recurring ones have a one-way discussion with 224.0.0.1 (as you rightfully pointed out).

It is indeed reassuring that nothing is being sent. But while I totally get that my router (spelled backwards as 1.1.168.192) is regularly talking to the entire local network, I still don't fully understand how 52.132.2.42 comes into play.

On a side note, assuming that it also follows the weird backwards-spelling rule, that would be 42.2.132.52 which is related to some ISP in Hong-Kong...

cryptearth · 2025-05-24 19:08:18

well - wild guess in the blue for the sake of just having asked: do you have any "smart" IoT devices connected to your network? like anything: automated switches, fancy light bulbs, thermostats ... it's just a stupid wild guess - but when it's not M$ and this backwards-theory is right then some iot-crap from china is likely to phone home

-thc · 2025-05-25 06:04:16

The next step would be to take a packet capture of this traffic and analyze the Ethernet frames that transport those packets (Wireshark).

Presuming the source Ethernet address of those multicast packets is your router - the source may be a bad routing decision inside the router.

irrexp · 2025-05-25 09:10:30

cryptearth wrote:

well - wild guess in the blue for the sake of just having asked: do you have any "smart" IoT devices connected to your network? like anything: automated switches, fancy light bulbs, thermostats ... it's just a stupid wild guess - but when it's not M$ and this backwards-theory is right then some iot-crap from china is likely to phone home

Well well, it crossed my mind because I indeed have a wireless repeater that I knew was from China (it came from my ISP btw). The maker is SDMCTech. So I disabled it and monitored the traffic but it changed nothing.

Then I came to realize that I had mentioned the two addresses appearing concomitantly. Assuming that 1.1.168.192 was the router itself, I decided to check the MAC address of the said router. It is indeed Chinese and it is also produced by SDMTech.

-thc wrote:

The next step would be to take a packet capture of this traffic and analyze the Ethernet frames that transport those packets (Wireshark).

Which I did. Both packets (coming from 1.1.168.192 and 52.132.2.42 are ICMP protocol coming from the router (unambiguously named Shenzen_83) and while the Source address is indeed 52.132.2.42, under "Internet Control Message Protocol" - besides the fact that it is of Type 9 (Mobile IP Advertisement) and of Code 0 (Normal router advertisement) - it says that the router address is (ta-da) 42.2.132.52 (it seems that the backwards spelling is related to the ICMP Protocol somehow).

So all in all:
[x] chasing ghosts
[x] common router activity
[x] some device from China is very likely to phone home one day

As it is a very widely spread router and that I am not too much interested in national security issues, I won't dig deeper hence marking this thread as solved.

Thank you all for the assistance in mission ghostbuster.

cryptearth · 2025-05-25 17:38:13

I'm usually not someone to be found among hermit crab people - but this is some unexpected turn of events
so this is caused by a device from your ISP? and from your way of looking at it I guess you not living around that suspicious area? I would contact your ISP about that and the device in question and either ask for a replacement from a different brand or for the required details to use your own
if it's DSL or fiber you should be able to use any off the shelf from your nearest store - as for cable: usually you have to suplly the modems MAC to be registrered - if your ISP doesn't allow you using your own device look for different one
this is just unacceptable - no matter if the ISP does this on purpose or they just don't now because they don't care but just after the money and chose the cheapest device they could get thier hands on in bulk
no matter what this is - even if it's "just" "telemetry" of some chinese device "phoning home" or there's something more to hit (insert your favorite conspirarcy here) - it's something a consumer-grade device just should not do (well, I guess unless you live in china anyway - but that's a different world)

irrexp · 2025-05-26 06:32:34

cryptearth wrote:

so this is caused by a device from your ISP? and from your way of looking at it I guess you not living around that suspicious area? I would contact your ISP about that and the device in question and either ask for a replacement from a different brand or for the required details to use your own

I hear that. So here is a bit more of the context.

I got a bit scared about the unusual traffic because I have been playing around quite a lot on that specific machine without paying much attention to security: enabling services, leaving ports open (ssh, httpd, tor relay, ...). As you might have noticed I don't know much about networks and I had barely used before most of the tools mentioned in the thread.

In the country there are 3-4 major ISP and for a fibre connection they often have exclusive contracts with local councils which means that I can't really choose my ISP (that may sound weird for a US citizen I suppose). That means that my provider is one of the main three nationwide and the router is the same for all customers (millions of people). I don't think it is allowed to use your own. The customer service is very minimal. For instance their default CG-NAT configuration prevents you from configuring port forwarding on their routers and the local forums are full of posts from advanced users explaining how long and painful it is to explain to a CS representative what port forwarding actually is.

Out of millions of customers there certainly are networking gurus and cybersecurity experts with the same router showing the same behaviour. I can't think that I am the first customer to wonder: what the heck is this weird IP pinging the local network? Certainly there even are countless businesses using the same material.

Is this router behaviour extremely unusual and suspicious? Remember, it is only sending packets to 224.0.0.1, never receiving any nor sending outside. Should someone be absolutely certain that it is much more concerning that a mere peculiarity of that very widespread material, I'm open to assist but I am in no position to go further on my own.

Edit: I have just done something that I should have done before, which is a search in my native language with the name of the actual provider (I tend to avoid non-english speaking forums because of the lack of information) and I found someone reporting the same issue - beside the fact that the IP is rather 42.132.2.42. The conclusion was that it is ICMP-related and that the IP is spelled backwards. Then the thread was closed because the user switched to another ISP (one of the three I mentioned). This confirms at least one thing: it is not an isolated occurrence.

Last edited by irrexp (2025-05-26 06:47:40)

-thc · 2025-05-26 12:44:34

The behavior of this router model is somewhat curious but on the surface not malicious.

Sending out ICMPv4 router advertisements is in itself noteworthy but sending them with both IPv4 (public, intern) addresses spelled backwards is ridiculous...

cryptearth · 2025-05-26 13:24:25

well - as a german usin cable for the past 20 years it's actually relateable to not be able to choose your isp or use your own device:
- choosing your ISP: as for coax and fiber in germany you're bound to the provider of the connection - freedom of choice is only possible for DSL
- bring your own device: its not that long since a law was passed which allows customers to use thier own devices - before that for both coax and fiber you had to use the device your ISP provided - using your own was just possible for DSL, again

so even having the choice of isp or bring your own device is still something depending on where you live even here in germany
we, too, have many ISPs with very limited services and bad customer service - and I was a customer service agent for an ISP myself for about 1 1/2 years - so I also know the other side

as for multicast traffic: the multicast traffic itself shouldn't be anything to be concerned about and several services and applications use it
it's actually quite a convenient way for some services to discover eachother - like accessing media on a NAS from your TV or phone

for this weird "backwards IP": I'm not sure what's going on here - proper network tools should be able to decode and display these information properly - so either something went south or it's active obfuscation to hide the real purpose of what's going on - but if it's the router "phoning back home to china" that's nothing that should show up on your pc

hm, anyway - whatever it really is that's happening here - from the size of your isp it's likely the just don't care because they have a monopoly: either you accept it or you don't have internet
it's the same with everything someone holds a monopoly on: either deal with it or get lost

intetesting topic nonetheless

Arch Linux

#1 2025-05-22 07:07:26

[SOLVED] Unidentified traffic on network interface

#2 2025-05-22 07:25:19

Re: [SOLVED] Unidentified traffic on network interface

#3 2025-05-22 09:55:58

Re: [SOLVED] Unidentified traffic on network interface

#4 2025-05-22 20:05:27

Re: [SOLVED] Unidentified traffic on network interface

#5 2025-05-22 21:21:54

Re: [SOLVED] Unidentified traffic on network interface

#6 2025-05-23 18:49:56

Re: [SOLVED] Unidentified traffic on network interface

#7 2025-05-24 06:17:32

Re: [SOLVED] Unidentified traffic on network interface

#8 2025-05-24 17:41:24

Re: [SOLVED] Unidentified traffic on network interface

#9 2025-05-24 19:08:18

Re: [SOLVED] Unidentified traffic on network interface

#10 2025-05-25 06:04:16

Re: [SOLVED] Unidentified traffic on network interface

#11 2025-05-25 09:10:30

Re: [SOLVED] Unidentified traffic on network interface

#12 2025-05-25 17:38:13

Re: [SOLVED] Unidentified traffic on network interface

#13 2025-05-26 06:32:34

Re: [SOLVED] Unidentified traffic on network interface

#14 2025-05-26 12:44:34

Re: [SOLVED] Unidentified traffic on network interface

#15 2025-05-26 13:24:25

Re: [SOLVED] Unidentified traffic on network interface

Board footer