× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Re: Outbound traffic to Amazon space

1qwerty1
Tutor

Outbound traffic to Amazon space

Hello,

I am wondering why my Orbi AC2200 unit (running latest firmware as of 2/23/2020, RBR20) is constantly making outbound connections to the Amazon space (52.0.0.0/11) over SSL/443.

 

The home setup with a satellite unit is stable, the router is in AP mode (PA-220 firewall is the L3 device):

Spectrum -> PA-220 -> Orbi network

 

The traffic is about 8 packets/attempts/per minute. I am purposefully dropping it on the firewall (I will update the firmware code myself manually once it is confirmed to be stable). I am aware the Netgear is hosting the firmware in the Amazon cloud and there is also an Alexa integration which I disabled. I also noticed Orbi makes an outbound connection on tcp8883/ssl as well - I believe this is the actual firmware download.

 

Maybe a Netgear tech support can post an answer to this port - why there is such a need to verify a link to Amazon? Is Netgear collecting some global stats on a number of Orbi units deployed?

 

Thanks!

Den

Model: CBR40|Orbi AC2200 Tri-band WiFi Cable Modem Router
Message 1 of 41
CrimpOn
Guru

Re: Outbound traffic to Amazon space

Alas, my impression is that Netgear engineers are not assigned to monitor the dozens of community forums.  Those of us who do are simply customers who are too cheap to pay for GearHead support (and who also find that members of the community often have more nuanced insight than the "GearHeads").  So, this is my initial impression

 

I had always thought that Netgear hosted Orbi firmware on "Netgear".

Here are the links I find in the Orbi parameters:

x_advisor_url=https://advisor.ngxcld.com/advisor/direct
x_claimed_url=https://registration.ngxcld.com/registration/status
x_discovery_url=https://presence.ngxcld.com/presence/presence
base_upgrade_url=https://http.fw.updates1.netgear.com/rbr50
fw_download_url=https://http.fw.updates1.netgear.com/rbr50/ww
genie_remote_url=https://genieremote.netgear.com/genie-remote/claimDevice
last_fw_upgrade_url=https://http.fw.updates1.netgear.com/rbr50/V2.3.5/ww
leafp2p_remote_url=http://peernetwork.netgear.com/peernetwork/services/LeafNetsWebServiceV2
leafp2p_replication_hook_url=https://readyshare.netgear.com/device/hook
leafp2p_replication_url=https://readyshare.netgear.com/device/entry
readycloud_fetch_url=https://readycloud.netgear.com/device/entry
readycloud_hook_url=https://readycloud.netgear.com/device/hook
readycloud_upload_url=https://readycloud.netgear.com/directio

 

Firmware updates seem to be hosted at Netgear.com.

None of these screams out "Amazon Cloud" directly, but the "ngxcld" appears to be in connection with Arlo cameras.

The Arin link seems to be pointing at "security":

WHOIS Source: ARIN
IP Address: 52.0.0.0
Country: usUSA - Washington
Network Name: AWS-SHELL-INTERNET
Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd.

I also think it's weird that Orbi has all these links to readycloud when that feature is not implemented on the Orbi platform.

Message 2 of 41
FURRYe38
Guru

Re: Outbound traffic to Amazon space

"Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. Smiley Frustrated


@CrimpOn wrote:

Alas, my impression is that Netgear engineers are not assigned to monitor the dozens of community forums.  Those of us who do are simply customers who are too cheap to pay for GearHead support (and who also find that members of the community often have more nuanced insight than the "GearHeads").  So, this is my initial impression

 

I had always thought that Netgear hosted Orbi firmware on "Netgear".

Here are the links I find in the Orbi parameters:

x_advisor_url=https://advisor.ngxcld.com/advisor/direct
x_claimed_url=https://registration.ngxcld.com/registration/status
x_discovery_url=https://presence.ngxcld.com/presence/presence
base_upgrade_url=https://http.fw.updates1.netgear.com/rbr50
fw_download_url=https://http.fw.updates1.netgear.com/rbr50/ww
genie_remote_url=https://genieremote.netgear.com/genie-remote/claimDevice
last_fw_upgrade_url=https://http.fw.updates1.netgear.com/rbr50/V2.3.5/ww
leafp2p_remote_url=http://peernetwork.netgear.com/peernetwork/services/LeafNetsWebServiceV2
leafp2p_replication_hook_url=https://readyshare.netgear.com/device/hook
leafp2p_replication_url=https://readyshare.netgear.com/device/entry
readycloud_fetch_url=https://readycloud.netgear.com/device/entry
readycloud_hook_url=https://readycloud.netgear.com/device/hook
readycloud_upload_url=https://readycloud.netgear.com/directio

 

Firmware updates seem to be hosted at Netgear.com.

None of these screams out "Amazon Cloud" directly, but the "ngxcld" appears to be in connection with Arlo cameras.

The Arin link seems to be pointing at "security":

WHOIS Source: ARIN
IP Address: 52.0.0.0
Country: usUSA - Washington
Network Name: AWS-SHELL-INTERNET
Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd.

I also think it's weird that Orbi has all these links to readycloud when that feature is not implemented on the Orbi platform.


 

Message 3 of 41
CrimpOn
Guru

Re: Outbound traffic to Amazon space


@FURRYe38 wrote:

"Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. Smiley Frustrated




It's part of Amazon Web Services (the "AWS" part at the front).  This is a useful discussion for me.  I had assumed that once in Access Point mode, the Orbi reverted to a dumb WiFi AP.  Now that I have the occasion to reflect, it is pretty obvious that the Orbi is still going to to "maintenance things" that are not "routing", such as looking for firmware updates, managing Arlo cameras, supporting ReadyShare (Ha!), sending log files(?).

 

It would be interesting to look at the DNS requests that led to the Orbi wanting to connect to 52.0.0.0.

Message 4 of 41
1qwerty1
Tutor

Re: Outbound traffic to Amazon space

CrimpOn, thanks for the useful info. I am going to build separate firewall policies for the FQDN objects that use https:// URLs to give me more fw logs and what protocols they are using. I am still not 100% sure what that ssl/8883 is doing?

 

I will run a sniffer to catch DNS queries to confirm the links you posted (+ additional hidden ones). I am not a big fan of devices that do a very chatty 'outside' life.

 

For now, I am dropping all outbound traffic from the Orbi (in AP mode).

Message 5 of 41
FURRYe38
Guru

Re: Outbound traffic to Amazon space

I wonder if this is something that Voxel might be able to tune up or tune out. I know he's removed some packages from the base file and set them aside for use later of if users want them. Something to ask him about and see. Though this maybe core code which he can't change. Smiley Indifferent

 

I know NG and other Mfrs are using Amazon as a platform for there cloud services these days. Been like this for a while now. 

 

Ya I kinda presumed that when in AP mode that analytics would be turned off. I guess not. Smiley Frustrated


@CrimpOn wrote:

@FURRYe38 wrote:

"Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. Smiley Frustrated




It's part of Amazon Web Services (the "AWS" part at the front).  This is a useful discussion for me.  I had assumed that once in Access Point mode, the Orbi reverted to a dumb WiFi AP.  Now that I have the occasion to reflect, it is pretty obvious that the Orbi is still going to to "maintenance things" that are not "routing", such as looking for firmware updates, managing Arlo cameras, supporting ReadyShare (Ha!), sending log files(?).

 

It would be interesting to look at the DNS requests that led to the Orbi wanting to connect to 52.0.0.0.


 

Message 6 of 41
FURRYe38
Guru

Re: Outbound traffic to Amazon space

@1qwerty1 

>>>>>>>>>>>>>>>>

After capturing DNS traffic, the Orbi unit is making constant lookups of advisor.ngxcld.com which is:

CNAME advisor-z2-ngprod-1997768525.us-west-2.elb.amazonaws.com (at the time of the pcap):
advisor-z2-ngprod-1997768525.us-west-2.elb.amazonaws. com. 60 IN A 52.24.192.26
advisor-z2-ngprod-1997768525.us-west-2.elb.amazonaws. com. 60 IN A 52.24.160.87


In addition, I saw a DNS queries for www.netgear.com (once an hour).


It appears the frequent traffic is going to a web analytics platform, Ngxcld.com (Website Analysis and Traffic Statistics).


There are some posts on reddit and arlo forums indicating the same outbound pattern.

>>>>>>>>>>>>>>>>

Message 7 of 41
1qwerty1
Tutor

Re: Outbound traffic to Amazon space

A little more info here: www.netgear.com is being used as Internet good/disconnected status in the Orbi GUI, Basic -> Home. Allowing outbound ping to a FQDN object should be ok.

 

If you have a pi-hole, you can blacklist advisor.ngxcld.com - in this case, there will be no outbound traffic.

 

Message 8 of 41
CrimpOn
Guru

Re: Outbound traffic to Amazon space


@1qwerty1 wrote:

A little more info here: www.netgear.com is being used as Internet good/disconnected status in the Orbi GUI, Basic -> Home. Allowing outbound ping to a FQDN object should be ok.


This would make for an interesting experiment.  Block all outbound traffic originating from the Orbi (not "passing through") and see what the Home Page status display says.  I have always wondered why the Home Page initially says, "Waiting" under Internet, and then changes to "Good".  Silly me, I thought, "Don't you KNOW the internet connection is good already?"  Maybe it has to connect, "just in case" before putting up a display.

Message 9 of 41
1qwerty1
Tutor

Re: Outbound traffic to Amazon space

Hi CrimpOn,

I actually did the exact thing you are asking - I had all oubound connections blocked for my Orbi device.The failed pings caused the GUI Home page to show that the Internet was down. In reality the Internet was up. I allowed the pings outbound anyway to keep the home page  happy. The www.netgear.com site gets pinged once every 5 minutes.

 

My other pi-hole blacklisted sites are:

readycloud.netgear.com
readyshare.netgear.com
presence.ngxcld.com
registration.ngxcld.com

 

My box is also making outbound FTP connections every hour at hr:02. I will capture this traffic to determine the FQDN it is using.

 

 

Message 10 of 41
CrimpOn
Guru

Re: Outbound traffic to Amazon space


@1qwerty1 wrote:

My box is also making outbound FTP connections every hour at hr:02. I will capture this traffic to determine the FQDN it is using.


Please post what you find.  There is no "ftp" anywhere in the Orbi parameters that I can find.  The firmware updates are definitely "https".

Message 11 of 41
1qwerty1
Tutor

Re: Outbound traffic to Amazon space

The hourly outbound connections over FTP are going to updates1.netgear.com which I also blacklisted via pi-hole.

 

Message 12 of 41
FURRYe38
Guru

Re: Outbound traffic to Amazon space

I would think that checking for updates should be only a thing done if a user logs into the UI or then goes tot he FW update section in the UI and selects check for FW updates from the server. Why is this a contant even happening. 

 

Wondering if this is why some users post about there data plans being used up prematurely after Orbi was installed. Smiley Frustrated

https://community.netgear.com/t5/Orbi/Orbi-RBK50-Massive-data-usage-and-traffic-meter-is-half-of-wha...

Message 13 of 41
CrimpOn
Guru

Re: Outbound traffic to Amazon space


@FURRYe38 wrote:

I would think that checking for updates should be only a thing done if a user logs into the UI or then goes tot he FW update section in the UI and selects check for FW updates from the server. Why is this a contant even happening. 

I agree this seems inefficient (checking frequently for months rather than when the user logs in).  It may be a hold-over from the days when Netgear would silently push firmware updates to Orbi.  And, since they (apparently) intend to do an auto push for "major" firmware updates (whatever that is, and if they EVER happen), then the Orbi has to check and not wait for the user to log in.  I would think "once a week" would be plenty often, unless the firmware was an "urgent fix" to some zero day exploit.

 

Wondering if this is why some users post about there data plans being used up prematurely after Orbi was installed. Smiley Frustrated

https://community.netgear.com/t5/Orbi/Orbi-RBK50-Massive-data-usage-and-traffic-meter-is-half-of-wha...

This one I doubt.  Doing one http: "get" is at most a few hundred characters. Even a thousand times a day would not create gigabytes of data.


 

Message 14 of 41
FURRYe38
Guru

Re: Outbound traffic to Amazon space

Maybe this is something that we can bring to the attention of the moderators to push to engineering. Would be nice if this could be reviewed and tuned to be less active. Smiley Wink

@Blanca_O 

@ErnestTheGreat 

@Christian_R 

Message 15 of 41
icuhackn
Tutor

Re: Outbound traffic to Amazon space

Thank you for this thread ... I thought I was going crazy looking at my PA-220 logs and seeing all this traffic. I have a very similar setup as you. Going to add those to my pi-hole blacklists too. The Satellite is making outbound calls too and not just the router in AP mode.

Message 16 of 41
1qwerty1
Tutor

Re: Outbound traffic to Amazon space

After mocking around, here is my final list of rules with FQDNs/subnet to block/allow (in the top-bottom order, src: Orbi router + satellite):

 

ALLOW:
www.netgear.com AppID: ping

DENY ANY:
devicelocation.ngxcld.com
fw.updates1.netgear.com
genieremote.netgear.com
http.fw.updates1.netgear.com
peernetwork.netgear.com
presence.ngxcld.com
readycloud.netgear.com
readyshare.netgear.com
registration.ngxcld.com
updates1.netgear.com

 

DENY: 52.0.0.0/11 AppID: Any

 

DENY: AppIDs: aws-iot, ftp, ping, ssl, web-browsing

Message 17 of 41
icuhackn
Tutor

Re: Outbound traffic to Amazon space

this is great, thanks! I just set mine up. Do you see this destination in your PA logs for ICMP?
( addr.dst in 192.168.0.120 )

I can only assume that perhaps the wifi backhaul is using that address; however, I cannot see anywhere in the WebUI configuration or general documentation that says what network it uses for backhaul connectivity between router and satellite Orbi. I have the AX6000 series devices.

 

Thanks!

Message 18 of 41
CrimpOn
Guru

Re: Outbound traffic to Amazon space

The Orbi WiFi backhaul is a 5G radio link directly between the router and satellite.  Since it is encrypted in a WiFi signal, I doubt very much that this traffic will be "capturable".  (word?)

Message 19 of 41
1qwerty1
Tutor

Re: Outbound traffic to Amazon space

Re: the outbound 192.168.x.x address pings

 

In my logs since the day I installed the Orbi, i see one icmp outbound packet from the Orbi router per day to 192.168.100.1 which gets denied by my src:any dst:rfc1918 subnets rule. I am not sure where this comes from.

Btw, if you would like a complete list of URLs your Orbi devices are configured for, telnet to your router, and:

root@RBR20:~# grep -rw '/etc' -e 'https:'

 

Some of the domains are not related to our devices, however, a few more popped up in the config (I don't see these in the pcaps):

advisor.qa.arloxcld.com
registration.qa.ngxcld.com
presence.qa.ngxcld.com
registration.qa.ngxcld.com
updates.netgear.com
genieremote-qa.netgear.com
devcom-qa.up.netgear.com
arlo-device-staging.messaging.netgear.com
devicelocation.dev.ngxcld.com
devicelocation.qa.ngxcld.com
devicelocation.ngxcld.com
redmine.lighttpd.net

 

It probably won't hurt to block these as well.

Message 20 of 41
FURRYe38
Guru

Re: Outbound traffic to Amazon space

192.168.100.1 maybe your upstream modem? Stand alone modems usually use this address for there web page access. 

Message 21 of 41
icuhackn
Tutor

Re: Outbound traffic to Amazon space

never thought to telnet to the router .... doh! Really Netgear, telnet open? I will take a look. In regards to the other comment surrounding it being the upstream router ... that is not my case. I have a PA-220 firewall that sits between my homenet (172.31.2.x) where my pi-hole is the DNS and DHCP server. The Orbi sits on this homenet as an AP. The outside of my PA-220 is static to my FIOS router which sits on a 192.168.1.x subnet ... so I dont know where it would be sending that 192.168.0.x too as nothing has been configured. I will look at the telnet into the router to see what this thing is doing. Thanks for the feedback!

Message 22 of 41
1qwerty1
Tutor

Re: Outbound traffic to Amazon space

Same here, I don't use 192.168.100.x space at all on my home network. My PA gets an outside IP from Spectrum (external interface is configured in DHCP client mode), inside is 10.x.x.x. My Orbi Costco box looked like it had been opened and the units had been used previously. I am wondering if this 192.168.100.x came from the previous home setup and the Netgear's reset to default button doesn't really completely wipe previous configuration?

 

Message 23 of 41
FURRYe38
Guru

Re: Outbound traffic to Amazon space

What the Mfr and model # of your ISP modem? Just curious. That IP address comes from stand alone modems management web page only, regardless of WAN IP from ISP service which is different. 

 

Reset should wipe out all configurations and information. 

You might try this, save a backup configuration to file of the RBR. factory reset, re-load FW on to the RBR, factory reset once more and see if that address still appears. if not, re-apply the config file from backup. 


@1qwerty1 wrote:

Same here, I don't use 192.168.100.x space at all on my home network. My PA gets an outside IP from Spectrum (external interface is configured in DHCP client mode), inside is 10.x.x.x. My Orbi Costco box looked like it had been opened and the units had been used previously. I am wondering if this 192.168.100.x came from the previous home setup and the Netgear's reset to default button doesn't really completely wipe previous configuration?

 


 

Message 24 of 41
1qwerty1
Tutor

Re: Outbound traffic to Amazon space

Furry, I work from home now, can't play too much with my router affecting wireless (mostly my home users). Maybe one day I will reset it to defaults and check for that 192.x.x.x connection.

 

To sum it up, all this outbound traffic needs to be addressed by Netgear. For ex., in 24 hrs, there were 45870 outbound hits from the Orbi router to the Amazon, each packet is 74 bytes, total is about 3 MBytes of data per day (all denied by the firewall). This doesn't seem much, but the volume of these connections, in my opinion, from one device is staggering.

Message 25 of 41
Top Contributors
Discussion stats
  • 40 replies
  • 6564 views
  • 2 kudos
  • 5 in conversation
Announcements

Orbi 770 Series