Why is camera contacting these IPs?

[aggedor2]

I've been viewing transactions on Wireshark and just noticed the camera initiating communication with a few IP addresses that puzzle me. Does anyone here know what's going on?

The camera is periodically sending a Baichuan protocol msg to 22.20.8.73

Whois says this is DoD Network Information Center

I also noticed a stream of messages being sent to 1.132.110.131

I also see a number of Baichuan login messages from that address.

Whois has this address as:

inetnum: 1.128.0.0 - 1.159.255.255
netname: TELSTRAINTERNET49-AU

I can't see any earlier Baichuan XML that sets up these addresses to use.

This is a new camera and since I'm sniffing it by making my Mac into an wifi access point (at which time I connect Mac to router over Ethernet), there isn't a lot of opportunity for it to be hacked as it usually doesn't have a network connection.

This is on a Uniden Solo+ camera (ie rebadged Argus 2).

Has anyone seen anything similar?

[aggedor2]

Just realised I switched my phone over to 4G at the point of the 1.132.110.131 addresses, so that explains that.

However, still puzzled about the messages to DoD

[QuantumEntangledAndy]

It is most likely to do with their remote discovery and NAT hole punching techniques.

In the event a direct connection cannot be achieved a client will poll the registers at:

"p2p.reolink.com",
"p2p1.reolink.com",
"p2p2.reolink.com",
"p2p3.reolink.com",
"p2p6.reolink.com",
"p2p7.reolink.com",
"p2p8.reolink.com",
"p2p9.reolink.com",
"p2p14.reolink.com",
"p2p15.reolink.com",

• these registers will reply to the client with the ip address of another register, a logging machine and a relay machine.

• The client will then connect to this other register which will contain the pubilc ip address of the camera. It will also register the clients ip address to this server.

• The clinet will use the address from the register to try to connect to the camera.

• The camera will contact the register (periodically) to see if there is anyone trying to connect.

  • If there is it will use the client address from the register to try to connect to the client.

• Either the camera will contact the client or the client will contact the camera

  • By both ends trying to connect like this it will help get through firewalls and punch through NATs

• The client will then announce to the logging ip what type of connection it will make (local or relayed)

You can see from this that for this remote discovery to work the camera needs to do some things periodically

1. It needs to register its public ip address
2. It needs to contact the register periodically to see if there is a client trying to connect so that it can try and connect aswell and perform a NAT holepunch

If you are using our dissector then the wireshark will show the packets for this type of communication as being of protocol Baichaun UDP Heartbeat with magic of 0x3acf872a

[aggedor2]

Thanks - I'd worked out most of that already, but it doesn't explain the DoD IP address.

I haven't really looked at the Neolink code yet as I wanted to understand by watching the wire first. But I'll look now, what code implements the P2P as described above?

[QuantumEntangledAndy]

I see well most of this code is in crates/core/src/bc_protocol/connection/udpconn particularly in discovery.rs.

If you haven't already please do check out the udp.md document in dissector it deals with local discovery but it might be helpful

[QuantumEntangledAndy]

Perhaps to really work out what the DoD ip address is for you should unpack a firmware update and run the binaries through Ghidra or something looking for where that ip/domain is used