Strange traffic sending out


#1

Hi everyone,

I purchased WD pr2100 recently, simple because I want “My own cloud”.
now before I explain my situation, let me tell you the status of my box.

  1. ALL features except SSH are disabled. there is nothing else except SSH. not even DHCP.
  2. No apps installed on my device.

I captured tcpdump for just 5 minutes with a prefilter to remove ssdp, arp etc.

Traffic to AWS:
14:12:12.304609 IP 192.168.0.37.57342 > 54.171.147.115.443: Flags [S], seq 1529442301, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
14:12:12.336219 IP 54.171.147.115.443 > 192.168.0.37.57342: Flags [S.], seq 2531290180, ack 1529442302, win 26883, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0

Now this capture is strange, uPNP allows traffic FROM outside (linode company) to mycloud:
14:22:02.403271 IP 178.79.180.168.443 > 192.168.0.37.58235: Flags [P.], seq 901406271:901406305, ack 53781524, win 19, length 34
14:22:02.403337 IP 192.168.0.37.58235 > 178.79.180.168.443: Flags [.], ack 34, win 86, length 0

I blocked it and there is no service impact to mycloud at all! question is, what and why are these strange traffic behaviour?

I’m investigating since my PR2100 isn’t going to sleep mode nor standby


#2

quick update, after I blocked 178.79.180.168, I know seeing traffic from:

14:33:33.515980 IP 82.94.168.56.443 > 192.168.0.37.50436: Flags [P.], seq 1382439872:1382439906, ack 3128652020, win 19, length 34
14:33:33.516048 IP 192.168.0.37.50436 > 82.94.168.56.443: Flags [.], ack 34, win 86, length 0


#3

You are on the wrong track. You likely have more gadgets connected to your network than your new my cloud. For example, Amazon Alexa gadgets are some They are always chit-chatting with their Mother Ship. to AWS. Same kind of thing happens with my clouds.

My advice to you is to unblock every thing you blocked, sit down, relax and have a beer. All is ok.


#4

Thanks Mike for the advice, however I was referring to no sleep/standby issue.
I’m working at Oracle and I’m very aware of how cloud dependent devices should works. from the little I know, I decided to block because there is no reason why any 3rd party provider will collect data from this device. especially not when there is no feature enable AT ALL. there is no alexa or any other ‘gadgets’ processes running.

The reason I investigate this, is because the device won’t go to sleep / standby mode, I wondered why it’s send traffic instead of going to sleep.
I can’t figure what’s the issue though, anyone has an idea?

Thanks.


#5

OK, but don’t assume your new my cloud is the culprit. To test this just turn it off/unplug it for a while and monitor your traffic to see what else is going on.


#6

There is no need to turn it off since I’m capturing from the device itself on bond0, so obviously it’s the device generating it.
also source IP is the pr2100 while destination is Public IP except of one flow goes from XS4ALL to mycloud device which is even more strange. uPNP ensure to allow this flow initiating from the internet. - very strange.
again if someone have some knowledge related to the issue I’m referring to and can explain?
and for my actual issue - does anyone solve the issue with the device sleep/standby mode? it never works…

btw I checked the other NAS I have (Synology) and I didn’t see the same behaviour… no traffic send/receive to/from internet unless I turn off apps that have public cloud features - which is the expected behaviour.


#7

Perhaps this can help


#8

They’ve collected the logs few days ago but no one contact me since then, that’s why I’m trying this forum


#9

Up?