NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

1qwerty1's avatar
1qwerty1
Tutor
Feb 25, 2020

Outbound traffic to Amazon space

Hello, I am wondering why my Orbi AC2200 unit (running latest firmware as of 2/23/2020, RBR20) is constantly making outbound connections to the Amazon space (52.0.0.0/11) over SSL/443.   The home ...
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Feb 25, 2020
FURRYe38 wrote:

"Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. :smileyfrustrated:

It's part of Amazon Web Services (the "AWS" part at the front).  This is a useful discussion for me.  I had assumed that once in Access Point mode, the Orbi reverted to a dumb WiFi AP.  Now that I have the occasion to reflect, it is pretty obvious that the Orbi is still going to to "maintenance things" that are not "routing", such as looking for firmware updates, managing Arlo cameras, supporting ReadyShare (Ha!), sending log files(?).

 

It would be interesting to look at the DNS requests that led to the Orbi wanting to connect to 52.0.0.0.

FURRYe38's avatar
FURRYe38
Guru - Experienced User
Feb 25, 2020

I wonder if this is something that Voxel might be able to tune up or tune out. I know he's removed some packages from the base file and set them aside for use later of if users want them. Something to ask him about and see. Though this maybe core code which he can't change. :smileyindifferent:

 

I know NG and other Mfrs are using Amazon as a platform for there cloud services these days. Been like this for a while now. 

 

Ya I kinda presumed that when in AP mode that analytics would be turned off. I guess not. :smileyfrustrated:

CrimpOn wrote:
FURRYe38 wrote:

"Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. :smileyfrustrated:

It's part of Amazon Web Services (the "AWS" part at the front).  This is a useful discussion for me.  I had assumed that once in Access Point mode, the Orbi reverted to a dumb WiFi AP.  Now that I have the occasion to reflect, it is pretty obvious that the Orbi is still going to to "maintenance things" that are not "routing", such as looking for firmware updates, managing Arlo cameras, supporting ReadyShare (Ha!), sending log files(?).

 

It would be interesting to look at the DNS requests that led to the Orbi wanting to connect to 52.0.0.0.

 

  • FURRYe38's avatar
    FURRYe38
    Guru - Experienced User
    Feb 25, 2020

    1qwerty1 

    >>>>>>>>>>>>>>>>

    After capturing DNS traffic, the Orbi unit is making constant lookups of advisor.ngxcld.com which is:

    CNAME advisor-z2-ngprod-1997768525.us-west-2.elb.amazonaws.com (at the time of the pcap):
    advisor-z2-ngprod-1997768525.us-west-2.elb.amazonaws. com. 60 IN A 52.24.192.26
    advisor-z2-ngprod-1997768525.us-west-2.elb.amazonaws. com. 60 IN A 52.24.160.87


    In addition, I saw a DNS queries for www.netgear.com (once an hour).


    It appears the frequent traffic is going to a web analytics platform, Ngxcld.com (Website Analysis and Traffic Statistics).


    There are some posts on reddit and arlo forums indicating the same outbound pattern.

    >>>>>>>>>>>>>>>>