[pfB_PRI1_v4] Too many alerts out for "196.55.215.129", 443, 5222

Gertjan · Jan 26, 2021, 1:53 PM

@rimaju said in [pfB_PRI1_v4] Too many alerts out for "196.55.215.129", 443, 5222:

alerts (over 45.000) in a few hours about this ip 196.55.215.129 on port 443, 5222 (outbonding)

Outbounding : a local device, a device on your LAN(s) is hammering "196.55.215.129 " ?
Wasn't there also the IP of the local device ?
What about shuttingt down this device - cleaning it up - investigate it - as it uses a brain dead program (or owner) that doesn't take "no" for an answer. Act up onit (w(ll look the other way, don't worry) or, why not, live with it.
If it isn't 'your' device, and you want trusted == well behaving devices on your network : cut the connection and done.

You'll be doing a BIG favour to the web server at 196.55.215.129.

@rimaju said in [pfB_PRI1_v4] Too many alerts out for "196.55.215.129", 443, 5222:

Today i disabled "Individual List Reputation", "Collective List Reputation", and no more such alerts!

Like closing your eyes and suddenly the issue isn't there any more ?

denis_ju · Jan 26, 2021, 2:03 PM

@gertjan, you are absolutely right.
I'm trying to understand/investigate the problem.

I'm definitely not give up. But i need a little time.

Alerts are comming from a smartphone, over wifi. But i have no idea what app is producing this traffic!!!

denis_ju · Jan 26, 2021, 2:15 PM

@gertjan, can I intercept this behavior with a snort rule? If yes, what rule do you mean to activate?

Just an idea.

Gertjan · Jan 26, 2021, 4:30 PM

@rimaju

Can you show the issue ?
Isn't there a LAN (local !) IP listed ?

denis_ju · Jan 26, 2021, 4:49 PM

@gertjan Not yet.
My wifi is a mikrotik on NAT. I see only the mikrotik ip on pfsense.

Gertjan · Jan 26, 2021, 5:46 PM

@rimaju said in [pfB_PRI1_v4] Too many alerts out for "196.55.215.129", 443, 5222:

@gertjan Not yet.
My wifi is a mikrotik on NAT. I see only the mikrotik ip on pfsense.

Your AP is doing NAT ? Is it a router ?
Don't do that .... just have it doing AP. Shut down the rest (at first).

Okijames · Jan 26, 2021, 5:58 PM

I noticed a ton (30K+ attempts in a few hours) of block alerts to the same address. This is from a phone I recently rooted and installed lineageos. With very few apps installed, I was able to whittle it down to Telegram, the FOSS version in fact.

I've uninstalled Telegram and the phone is no longer attempting to connect to 196.55.215.129.

Spamhaus has the 196.52.0.0/14 CIDR block listed here... https://www.spamhaus.org/sbl/query/SBL510704

My laptop, with Telegram installed, is also attempting to reach addresses in that CIDR block.

Gertjan · Jan 26, 2021, 6:12 PM

@okijames said in [pfB_PRI1_v4] Too many alerts out for "196.55.215.129", 443, 5222:

phone I recently rooted

Ah, nice. A typical school-example of what happens when rooted.
You have to answer the question : do you trust the root kit ?
Telegram accessing https ports ? Euh .......... right, it does : https://core.telegram.org/mtproto/transports
So it could be so that 196.55.215.129 is a front end CDN for telegram - and it's refusing your telegram phone app requests now. Better to check why if possible - maybe your root kit isn't that innocent.

Okijames · Jan 26, 2021, 6:25 PM

@gertjan I never fully trust anything :)

The phone was well behaved before installing Telegram, and is back to being quiet now that Telegram has been removed. Though now I'm doing packet captures of its traffic, where I was only looking at flow and firewall logs before.

Stopping Telegram on my laptop has the same affect. No more connection attempts to the that address.

I should note that Telegram functioned normally, it doesn't appear these specific connections are required for normal operation.

n3xus_x3 · Feb 2, 2021, 5:44 AM

I have the same problem, the smartphone does not have any type of root , the connections are many... , for now I leave it blocked, there is no disservice at the moment

Okijames · Jan 29, 2021, 7:30 PM

Another burst (47K so far) of attempts today, from both my rooted and unrooted phones. It appears to be the FOSS version of Telegram for Android is the culprit.

On my Mac the full desktop Telegram client is less aggressive, in the 100's of attempts per day. The Lite version does not exhibit this behavior.

Okijames · Feb 2, 2021, 5:44 AM

@n3xus_x3 I opened an issue on github. Please chime in... https://github.com/Telegram-FOSS-Team/Telegram-FOSS/issues/490

HolyK · Mar 4, 2021, 12:01 AM

It is not only the Foss version but official Android Telegram app does the same. I have 11888 hits on the IP 196.55.215.129 in last 24 hours. Anyway the Telegram itself works OK. It is "just" annoying...