Outbound traffic to Amazon space

Guru - Experienced User

Feb 25, 2020

Alas, my impression is that Netgear engineers are not assigned to monitor the dozens of community forums. Those of us who do are simply customers who are too cheap to pay for GearHead support (and who also find that members of the community often have more nuanced insight than the "GearHeads"). So, this is my initial impression

I had always thought that Netgear hosted Orbi firmware on "Netgear".

Here are the links I find in the Orbi parameters:

x_advisor_url=https://advisor.ngxcld.com/advisor/direct
x_claimed_url=https://registration.ngxcld.com/registration/status
x_discovery_url=https://presence.ngxcld.com/presence/presence
base_upgrade_url=https://http.fw.updates1.netgear.com/rbr50
fw_download_url=https://http.fw.updates1.netgear.com/rbr50/ww
genie_remote_url=https://genieremote.netgear.com/genie-remote/claimDevice
last_fw_upgrade_url=https://http.fw.updates1.netgear.com/rbr50/V2.3.5/ww
leafp2p_remote_url=http://peernetwork.netgear.com/peernetwork/services/LeafNetsWebServiceV2
leafp2p_replication_hook_url=https://readyshare.netgear.com/device/hook
leafp2p_replication_url=https://readyshare.netgear.com/device/entry
readycloud_fetch_url=https://readycloud.netgear.com/device/entry
readycloud_hook_url=https://readycloud.netgear.com/device/hook
readycloud_upload_url=https://readycloud.netgear.com/directio

Firmware updates seem to be hosted at Netgear.com.

None of these screams out "Amazon Cloud" directly, but the "ngxcld" appears to be in connection with Arlo cameras.

The Arin link seems to be pointing at "security":

WHOIS Source: ARIN
IP Address: 52.0.0.0
Country: usUSA - Washington
Network Name: AWS-SHELL-INTERNET
Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd.

I also think it's weird that Orbi has all these links to readycloud when that feature is not implemented on the Orbi platform.

FURRYe38
Guru - Experienced User
Feb 25, 2020
"Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. :smileyfrustrated:
CrimpOn wrote:
Alas, my impression is that Netgear engineers are not assigned to monitor the dozens of community forums. Those of us who do are simply customers who are too cheap to pay for GearHead support (and who also find that members of the community often have more nuanced insight than the "GearHeads"). So, this is my initial impression

I had always thought that Netgear hosted Orbi firmware on "Netgear".
Here are the links I find in the Orbi parameters:
x_advisor_url=https://advisor.ngxcld.com/advisor/direct
x_claimed_url=https://registration.ngxcld.com/registration/status
x_discovery_url=https://presence.ngxcld.com/presence/presence
base_upgrade_url=https://http.fw.updates1.netgear.com/rbr50
fw_download_url=https://http.fw.updates1.netgear.com/rbr50/ww
genie_remote_url=https://genieremote.netgear.com/genie-remote/claimDevice
last_fw_upgrade_url=https://http.fw.updates1.netgear.com/rbr50/V2.3.5/ww
leafp2p_remote_url=http://peernetwork.netgear.com/peernetwork/services/LeafNetsWebServiceV2
leafp2p_replication_hook_url=https://readyshare.netgear.com/device/hook
leafp2p_replication_url=https://readyshare.netgear.com/device/entry
readycloud_fetch_url=https://readycloud.netgear.com/device/entry
readycloud_hook_url=https://readycloud.netgear.com/device/hook
readycloud_upload_url=https://readycloud.netgear.com/directio

Firmware updates seem to be hosted at Netgear.com.
None of these screams out "Amazon Cloud" directly, but the "ngxcld" appears to be in connection with Arlo cameras.
The Arin link seems to be pointing at "security":
WHOIS Source: ARIN
IP Address: 52.0.0.0
Country: usUSA - Washington
Network Name: AWS-SHELL-INTERNET
Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd.
I also think it's weird that Orbi has all these links to readycloud when that feature is not implemented on the Orbi platform.
- CrimpOn
  Guru - Experienced User
  Feb 25, 2020
  FURRYe38 wrote:
  "Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. :smileyfrustrated:
  It's part of Amazon Web Services (the "AWS" part at the front). This is a useful discussion for me. I had assumed that once in Access Point mode, the Orbi reverted to a dumb WiFi AP. Now that I have the occasion to reflect, it is pretty obvious that the Orbi is still going to to "maintenance things" that are not "routing", such as looking for firmware updates, managing Arlo cameras, supporting ReadyShare (Ha!), sending log files(?).
  
  It would be interesting to look at the DNS requests that led to the Orbi wanting to connect to 52.0.0.0.
  - 1qwerty1
    Tutor
    Feb 25, 2020
    CrimpOn, thanks for the useful info. I am going to build separate firewall policies for the FQDN objects that use https:// URLs to give me more fw logs and what protocols they are using. I am still not 100% sure what that ssl/8883 is doing?
    
    I will run a sniffer to catch DNS queries to confirm the links you posted (+ additional hidden ones). I am not a big fan of devices that do a very chatty 'outside' life.
    
    For now, I am dropping all outbound traffic from the Orbi (in AP mode).

Forum Discussion