[Freedombox-discuss] FreeedomBox data leakage, firewall issues.
A. F. Cano
afc54 at comcast.net
Thu May 2 13:38:40 BST 2024
I have long noticed that there is usually some data going out of the external
interface. I have always assumed it was housekeeping stuff, such as dns.
However, Cockpit is now showing data going out at 1 Mbps and receiving at
300-400 Mpbs. Something is going on that looks very suspicious.
Sudo iftop at the freedomBox shows this: (copied/pasted snapshot)
fbx => 5.62.115.7 132Kb 154Kb 142Kb
<= 37.7Kb 43.9Kb 40.4Kb
fbx => 20.219.166.58 66.3Kb 76.7Kb 70.5Kb
<= 18.9Kb 21.9Kb 20.1Kb
fbx => 20.198.72.188 32.2Kb 50.8Kb 54.1Kb
<= 9.19Kb 14.5Kb 15.4Kb
fbx => 4.213.64.123 37.4Kb 40.4Kb 36.3Kb
<= 10.7Kb 11.6Kb 10.4Kb
fbx => 20.204.159.116 32.2Kb 39.6Kb 36.8Kb
<= 9.19Kb 11.3Kb 10.5Kb
fbx => 52.172.234.77 32.8Kb 38.6Kb 35.0Kb
<= 9.38Kb 11.0Kb 10.0Kb
fbx => 4.247.20.151 32.8Kb 38.5Kb 34.5Kb
<= 9.38Kb 11.0Kb 9.87Kb
fbx => 20.235.146.193 32.8Kb 38.3Kb 35.4Kb
<= 9.38Kb 10.9Kb 10.1Kb
fbx => 4.213.64.184 32.8Kb 38.2Kb 35.3Kb
<= 9.38Kb 10.9Kb 10.1Kb
fbx => 20.235.13.231 32.2Kb 38.2Kb 35.3Kb
<= 9.19Kb 10.9Kb 10.1Kb
fbx => 20.235.89.199 32.8Kb 38.2Kb 35.2Kb
<= 9.38Kb 10.9Kb 10.1Kb
fbx => 20.235.51.243 32.8Kb 38.2Kb 35.2Kb
<= 9.38Kb 10.9Kb 10.1Kb
fbx => 20.235.53.103 32.8Kb 38.1Kb 35.2Kb
<= 9.38Kb 10.9Kb 10.1Kb
fbx => 20.204.21.128 32.8Kb 38.1Kb 35.1Kb
<= 9.38Kb 10.9Kb 10.0Kb
fbx => 20.235.95.62 32.8Kb 38.1Kb 35.1Kb
<= 9.38Kb 10.9Kb 10.0Kb
fbx => 20.235.95.67 32.2Kb 38.1Kb 35.1Kb
<= 9.19Kb 10.9Kb 10.0Kb
fbx => 20.235.49.2 31.5Kb 37.9Kb 35.1Kb
<= 9.00Kb 10.8Kb 10.0Kb
fbx => 20.198.73.231 32.8Kb 37.5Kb 34.7Kb
<= 9.56Kb 10.8Kb 9.94Kb
fbx => 20.235.20.95 33.5Kb 37.5Kb 34.8Kb
<= 9.56Kb 10.7Kb 9.94Kb
fbx => 4.247.23.118 25.6Kb 36.6Kb 34.4Kb
<= 7.31Kb 10.5Kb 9.82Kb
fbx => 20.204.187.93 17.7Kb 35.3Kb 33.5Kb
<= 5.06Kb 10.1Kb 9.56Kb
fbx => 143.244.196.6 1.13Kb 1.74Kb 1.09Kb
<= 12.0Kb 7.33Kb 4.58Kb
fbx => 101.126.11.251 0b 2.77Kb 2.42Kb
<= 0b 0b 644b
fbx => 52.140.45.128 5.91Kb 1.18Kb 756b
<= 1.69Kb 346b 216b
The highest volume collector of who knows what appears to be Microsoft:
$ whois 20.219.166.58
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#
NetRange: 20.192.0.0 - 20.255.255.255
CIDR: 20.192.0.0/10
NetName: MSFT
NetHandle: NET-20-192-0-0-1
Parent: NET20 (NET-20-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Microsoft Corporation (MSFT)
RegDate: 2017-10-18
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/20.192.0.0
OrgName: Microsoft Corporation
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2024-03-18
Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment: * https://cert.microsoft.com.
Comment:
Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
Comment: * abuse at microsoft.com.
Comment:
Comment: To report security vulnerabilities in Microsoft products and services, please contact:
Comment: * secure at microsoft.com.
Comment:
Comment: For legal and law enforcement-related requests, please contact:
Comment: * msndcc at microsoft.com
Comment:
Comment: For routing, peering or DNS issues, please
Comment: contact:
Comment: * IOC at microsoft.com
Ref: https://rdap.arin.net/registry/entity/MSFT
OrgAbuseHandle: MAC74-ARIN
OrgAbuseName: Microsoft Abuse Contact
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse at microsoft.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/MAC74-ARIN
OrgRoutingHandle: CHATU3-ARIN
OrgRoutingName: Chaturmohta, Somesh
OrgRoutingPhone: +1-425-882-8080
OrgRoutingEmail: someshch at microsoft.com
OrgRoutingRef: https://rdap.arin.net/registry/entity/CHATU3-ARIN
OrgTechHandle: KIMAV-ARIN
OrgTechName: Kim, Avery
OrgTechPhone: +1-425-882-8080
OrgTechEmail: averykim at microsoft.com
OrgTechRef: https://rdap.arin.net/registry/entity/KIMAV-ARIN
OrgTechHandle: MRPD-ARIN
OrgTechName: Microsoft Routing, Peering, and DNS
OrgTechPhone: +1-425-882-8080
OrgTechEmail: IOC at microsoft.com
OrgTechRef: https://rdap.arin.net/registry/entity/MRPD-ARIN
OrgTechHandle: BEDAR6-ARIN
OrgTechName: Bedard, Dawn
OrgTechPhone: +1-425-538-6637
OrgTechEmail: dabedard at microsoft.com
OrgTechRef: https://rdap.arin.net/registry/entity/BEDAR6-ARIN
OrgTechHandle: IPHOS5-ARIN
OrgTechName: IPHostmaster, IPHostmaster
OrgTechPhone: +1-425-538-6637
OrgTechEmail: iphostmaster at microsoft.com
OrgTechRef: https://rdap.arin.net/registry/entity/IPHOS5-ARIN
OrgTechHandle: SINGH683-ARIN
OrgTechName: Singh, Prachi
OrgTechPhone: +1-425-707-5601
OrgTechEmail: pracsin at microsoft.com
OrgTechRef: https://rdap.arin.net/registry/entity/SINGH683-ARIN
Further attempts at figuring out who is really behind this IP address yields
nothing:
$ nslookup 20.219.166.58
** server can't find 58.166.219.20.in-addr.arpa: NXDOMAIN
Entering the IP address into https://ipinfo.io/20.219.166.58
says it's from "Pune, Maharashtra, India"
Can someone explain this? Why is my FreedomBox sending so much data to India
and who knows where else? Has my Freedombox been taken over in some bot
network?
I have tried to lock it down:
$ sudo firewall-cmd --lockdown-on
but nothing happens. The data flow is continuing and there is no change in the
behaviur of the FreedomBox: I can still access the internet from internal
machines, get email etc... Am I musunderstanding now a firewall lockdown is
supposed to work?
This is worrying me. It would be really nice if cockpit had some feature to
scan not only the volume of data going through the external interface but
also flagging where packets go, under what protocols, who is collecting
the data, and what program (possibly on the internal network) is originating
the traffic (so I can stop/kill it).
I'm oonsidering running wireshark on the FreedomBox to try to figure this out
next. Does anyone have a wireshark recipe/filter to do the above so that I
don't have to engage into a 6-month project? I know next to nothing about
the fine points of wirewhark.
Finally, I have noticed traffic that makes sense: some syncthing-related
packets, some mastodo-related packets (I'm running syncthing on internal
machines and have an open tab for mastodon) but I also found packets from here:
https://security.criminalip.com/
Worrying name at the very least. Looks like the FreedomBox is being probed.
I have no idea if any of the probes were successful.
I have looked over the ps output on internal machines to make sure there was
nothing obvious there. I did stop tor, for instance but this was not the
culprit.
I would really appreciate some clarification about these issues. Thank you very
much for reading this far.
Augustine
More information about the Freedombox-discuss
mailing list