The purpose of this page is to document interesting information derived from logging events related to blocked DNS requests, country blocking, etc.
As I mentioned in another post about DNS, I block all direct DNS requests out to the internet. Blocks are logged triggering an alert event to me for investigation.
I also do country blocking for countries like China, North Korea and Russia which will yield very interesting things.
Especially on the Internet of Things side, catching those devices trying to communicate to countries like China is always interesting since many of these devices are manufactured in China.
craigsmith.net
This was an interesting alert as it was an attempt to log into the admin side of my site using a password “redcell40” that was in the most recent dump of 1.4 billion emails and passwords. Password didn’t work by the way.
Another interesting aspect is the source IP coming from the Comcast network from somewhere in Chicago. If you believe geoip locations.
_line: 73.72.193.111 – – [06/Jan/2018:04:29:14 +0000] “POST /wp-login.php HTTP/1.1” 200 4596 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0” “log=admin&pwd=redcell40&wp-submit=Log+In&aiowps-captcha-string-info=t7uqif1pba&aiowps-captcha-temp-string=1515212953&aiowps-captcha-answer=9&redirect_to=http%3A%2F%2F68.183.48.96%2Fwp-login.php&testcookie=1”
Fire TV stick
You might think the Amazon device is inactive when the TV is off, however it is not. I noticed a couple HTTP requests being sent to China and since I’m blocking traffic to China, this cause an alert.
log_component=”HTTP” log_subtype=”Denied” status=”” priority=Information fw_rule_id=9 user_name=”” user_gp=”” iap=2 category=”Information Technology” category_type=”Acceptable” url=”http://pasta.esfile.duapps.com/api/data?token=c4148e76f1c4b355fbf107ca8b2835b2c719c4489adb5dadcd2dcaea67841f1f&tk=%2FnU6NLzeJreZpip3KZM1ZA%3D%3D&sv=hw-2.4.0″ contenttype=”” override_token=”” httpresponsecode=”” src_ip=192.168.xxx.21 dst_ip=180.97.33.177 protocol=”TCP” src_port=40916 dst_port=80 sent_bytes=0 recv_bytes=4846 domain=pasta.esfile.duapps.com exceptions= activityname=”” reason=”” user_agent=”DXCoreService” status_code=”403″ transactionid= referer=””
log_component=”HTTP” log_subtype=”Denied” status=”” priority=Information fw_rule_id=9 user_name=”” user_gp=”” iap=2 category=”Portal Sites” category_type=”Unproductive” url=”http://hmma.baidu.com/app.gif” contenttype=”” override_token=”” httpresponsecode=”” src_ip=192.168.xxx.21 dst_ip=123.125.114.8 protocol=”TCP” src_port=51386 dst_port=80 sent_bytes=0 recv_bytes=2007 domain=hmma.baidu.com exceptions= activityname=”” reason=”” user_agent=”Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)” status_code=”403″ transactionid= referer=””
Turns out that both of these events are due to apps installed on the stick; Downloader and ES File Explorer File Manager.
Nvidia Shield TV
This device is an Android device so it’s not surprising that it’s trying to send DNS requests directly to Google (8.8.8.8).
log_component=“Firewall Rule” log_subtype=“Denied” status=“Deny” priority=Information duration=0 fw_rule_id=4 policy_type=1 user_name=“” user_gp=“” iap=2 ips_policy_id=0 appfilter_policy_id=0 application=“” application_risk=0 application_technology=“” application_category=“” in_interface=“Port1” out_interface=“Port5” src_mac=00:04:4b:88:b8:0d src_ip=192.168.xxx.13 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=“UDP” src_port=59961 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=“” srczone=“” dstzonetype=“” dstzone=“” dir_disp=“” connid=“” vconnid=“” hb_health=“No Heartbeat” message=“” appresolvedby=“Signature”
LG TV
LG TVs use webOS these days for their operating system. What’s interesting about this one is the TV settings show the firewall address as the DNS server however it is still making requests to Google DNS.
log_component=“Firewall Rule” log_subtype=“Denied” status=“Deny” priority=Information duration=0 fw_rule_id=4 policy_type=1 user_name=“” user_gp=“” iap=2 ips_policy_id=0 appfilter_policy_id=0 application=“” application_risk=0 application_technology=“” application_category=“” in_interface=“Port1” out_interface=“Port5” src_mac=14:c9:13:74:4d:a8 src_ip=192.168.xxx.157 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=“UDP” src_port=33050 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=“” srczone=“” dstzonetype=“” dstzone=“” dir_disp=“” connid=“” vconnid=“” hb_health=“No Heartbeat” message=“” appresolvedby=“Signature”
iPhone
The Maps.me offline map application is apparently making calls out to a Russian server. Not surprising since the application is owned by the Russian internet company Mail.Ru.
log_component=”HTTP” log_subtype=”Denied” status=”” priority=Information fw_rule_id=9 user_name=”” user_gp=”” iap=2 category=”Reference” category_type=”Acceptable” url=”https://s.maps.me/” contenttype=”” override_token=”” httpresponsecode=”” src_ip=192.168.xxx.27 dst_ip=94.100.180.236 protocol=”TCP” src_port=65026 dst_port=443 sent_bytes=0 recv_bytes=0 domain=s.maps.me exceptions= activityname=”” reason=”” user_agent=”” status_code=”200″ transactionid= referer=””
It’s also making calls out to what I’m guessing is an ad server of some sort.
log_component=”HTTP” log_subtype=”Denied” status=”” priority=Information fw_rule_id=9 user_name=”” user_gp=”” iap=2 category=”Advertisements” category_type=”Unproductive” url=”https://ad.mail.ru/” contenttype=”” override_token=”” httpresponsecode=”” src_ip=192.168.xxx.27 dst_ip=217.69.139.42 protocol=”TCP” src_port=65030 dst_port=443 sent_bytes=0 recv_bytes=0 domain=ad.mail.ru exceptions= activityname=”” reason=”” user_agent=”” status_code=”200″ transactionid= referer=””
And a call out to China for what appears to be analytics of some sort.
log_component=”HTTP” log_subtype=”Denied” status=”” priority=Information fw_rule_id=9 user_name=”” user_gp=”” iap=2 category=”Content Delivery” category_type=”Acceptable” url=”https://mat1.gtimg.com/” contenttype=”” override_token=”” httpresponsecode=”” src_ip=192.168.xxx.27 dst_ip=203.205.158.61 protocol=”TCP” src_port=65167 dst_port=443 sent_bytes=0 recv_bytes=0 domain=mat1.gtimg.com exceptions= activityname=”” reason=”” user_agent=”” status_code=”200″ transactionid= referer=””
My phone has both Amazon and Skype (formerly Lync) apps installed. For some reason they each seem to be making calls out to Chinese sites, amazon.cn and lync.cn respectively. Both sites are legitimate sites owned by Amazon and Microsoft, however I’m pretty sure I have no need to be communicating with those sites.
log_component=”HTTP” log_subtype=”Denied” status=”” priority=Information fw_rule_id=9 user_name=”” user_gp=”” iap=2 category=”Online Shopping” category_type=”Unproductive” url=”https://www.amazon.cn/” contenttype=”” override_token=”” httpresponsecode=”” src_ip=192.168.xxx.27 dst_ip=54.222.60.218 protocol=”TCP” src_port=56206 dst_port=443 sent_bytes=0 recv_bytes=0 domain=www.amazon.cn exceptions= activityname=”” reason=”” user_agent=”” status_code=”200″ transactionid= referer=””
log_component=”HTTP” log_subtype=”Denied” status=”” priority=Information fw_rule_id=9 user_name=”” user_gp=”” iap=2 category=”Educational Institutions” category_type=”Acceptable” url=”https://meet.partner.lync.cn/” contenttype=”” override_token=”” httpresponsecode=”” src_ip=192.168.xxx.27 dst_ip=42.159.34.45 protocol=”TCP” src_port=58897 dst_port=443 sent_bytes=0 recv_bytes=0 domain=meet.partner.lync.cn exceptions= activityname=”” reason=”” user_agent=”” status_code=”200″ transactionid= referer=””