Finally stood up PF for bi-directional firewalling (since I have a slight bit of paranoia w/highjacked pc's), and sure enough one of the foscam IP cameras on the network is constantly trying to contact a amazon compute node on high ephemeral ports.
Does this look suspicious to anyone? Also any pointers on deeper analysis of this traffic would be appreciated.
Does this look suspicious to anyone? Also any pointers on deeper analysis of this traffic would be appreciated.
Code:
19:43:12.674038 rule 8..16777216/0(match): block out on em1: (tos 0x0, ttl 63, id 54155, offset 0, flags [none], proto UDP (17), length 276)
foscam2.dubhouse.net.19351 > ec2-175-41-238-100.ap-northeast-1.compute.amazonaws.com.21047: [udp sum ok] UDP, length 248
....
19:43:21.440638 rule 8..16777216/0(match): block out on em1: (tos 0x0, ttl 63, id 4929, offset 0, flags [none], proto UDP (17), length 64)
foscam2.dubhouse.net.19351 > ec2-46-137-188-54.eu-west-1.compute.amazonaws.com.10240: [udp sum ok] UDP, length 36
19:43:21.441371 rule 8..16777216/0(match): block out on em1: (tos 0x0, ttl 63, id 63750, offset 0, flags [none], proto UDP (17), length 64)
foscam2.dubhouse.net.19351 > 120.24.59.150.10240: [udp sum ok] UDP, length 36
....
19:43:22.991441 rule 8..16777216/0(match): block out on em1: (tos 0x0, ttl 63, id 35841, offset 0, flags [none], proto UDP (17), length 276)
foscam2.dubhouse.net.19351 > ec2-175-41-238-100.ap-northeast-1.compute.amazonaws.com.21047: [udp sum ok] UDP, length 248
19:43:23.568098 rule 8..16777216/0(match): block out on em1: (tos 0x0, ttl 63, id 54111, offset 0, flags [none], proto ICMP (1), length 84)
...
[/S]