I have a pair of IP3M-941W cameras. Both cameras have port forwarding setup, without UPnP, to receive inbound connections that I initiate without using the DDNS service on either camera. I have a DNS solution that I administer and control so DDNS is not required.
Here is what I am seeing from each camera. Roughly every five(5) seconds each camera is making a DNS request for ip.3322.net which is a very well known source of malware located in China. [That's approximately 18,000 requests per day for each camera.]
The DNS server provided by my ISP resolves this domain as a loop-back address 127.42.0.3
Google Public DNS returns NXDOMAIN
OpenDNS returns 127.42.0.1
CloudFlare DNS returns 127.42.0.8
YahooDNS returns 127.42.0.4
Since the DDNS feature is not enabled why are these cameras initiating a connection to ip.3322.net? What are they trying to find at this domain?
It obvious neither camera can create a successful connection, but again why are they doing it in the first place?
Any ideas?
IP3M-941W - Very suspicious outbound IP traffic
Re: IP3M-941W - Very suspicious outbound IP traffic
Camera does initiate connections to Cloud and P2P. See https://support.amcrest.com/hc/en-us/ar ... ctionality
Port forwarding is not considered a secure connection by security experts. That suspicious address may be a hack to your camera.
P2P is a somewhat more secure connection but depends on the remote server.
The most secure connection is a user VPN server (Example- Asus router that supports OpenVPN).
Port forwarding is not considered a secure connection by security experts. That suspicious address may be a hack to your camera.
P2P is a somewhat more secure connection but depends on the remote server.
The most secure connection is a user VPN server (Example- Asus router that supports OpenVPN).
Re: IP3M-941W - Very suspicious outbound IP traffic
Hello and welcome to the Forum
I would need to spend a little more time on this to figure out what is going on. However looking at what I know about ip.3322.net has to do with DNS and is a large medium for services related to such...
Please note that just because a URL in the Web has a large amount of traffic that happened when a mass attack by hackers from IP cameras or NVR's or the like don't make that Domain the source of the attack...
So if you think about it. Back when that Large attack over the BIG name IP camera maker was in the news if people was using FREE DDNS or other type of DNS server that went to or through ip.3322.net. Then that is why it was related to that server.... Not because the server was the one that did it....
So my guess is without knowing what service your paying for or getting for free either way without knowing what it is it is hard to know why. I do know that there is many reasons a Camera or other IP device will access a outside server and that is because even though your IP address from your ISP is say xxx.xxx.122.21 right now, if the lease is up then next time you want to use your IP it might be xxx.xxx.122.44 because that is what your ISP gave you on this lease time. So by it contacting the server it is keeping tabs on the IP so you can have access to it at all times...
I would need to spend a little more time on this to figure out what is going on. However looking at what I know about ip.3322.net has to do with DNS and is a large medium for services related to such...
Please note that just because a URL in the Web has a large amount of traffic that happened when a mass attack by hackers from IP cameras or NVR's or the like don't make that Domain the source of the attack...
So if you think about it. Back when that Large attack over the BIG name IP camera maker was in the news if people was using FREE DDNS or other type of DNS server that went to or through ip.3322.net. Then that is why it was related to that server.... Not because the server was the one that did it....
So my guess is without knowing what service your paying for or getting for free either way without knowing what it is it is hard to know why. I do know that there is many reasons a Camera or other IP device will access a outside server and that is because even though your IP address from your ISP is say xxx.xxx.122.21 right now, if the lease is up then next time you want to use your IP it might be xxx.xxx.122.44 because that is what your ISP gave you on this lease time. So by it contacting the server it is keeping tabs on the IP so you can have access to it at all times...
Be Safe.