Dahua cameras accessing address reserved for documentation

[quest100]

Several of my cameras (multi models) are trying to access <203.0.113.2> which is blocked by my firewall rules. A Whois search reveals that the address is in a block reserved for documentation - RFC5737 - RFC 5737: IPv4 Address Blocks Reserved for Documentation - which states

"Three IPv4 unicast address blocks are reserved for use in examples in
specifications and other documents. This document describes the use
of these blocks."

"The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2),
and 203.0.113.0/24 (TEST-NET-3) are provided for use in
documentation."

"Addresses within the TEST-NET-1, TEST-NET-2, and TEST-NET-3 blocks
SHOULD NOT appear on the public Internet and are used without any
coordination with IANA or an Internet registry [RFC2050]. Network
operators SHOULD add these address blocks to the list of non-
routeable address spaces, and if packet filters are deployed, then
this address block SHOULD be added to packet filters.

These blocks are not for local use, and the filters may be used in
both local and public contexts."

I expect that the attempt to access this address is just some leftover from code debugging that did not get removed. Even without my firewall rules the address should be blocked at multiple points within the internet. Has anyone else seen this or have an alternative explanation?

 

[Mike A.]

I've not seen that one mentioned before and I don't see it with any of mine. Which cams?

 

[ThomasCamFan]

I don't know where I read it (so I could be wrong), but I think some routers support "adblocker" protection that redirects suspect traffic to the 203.0.113.x range. So check your router for such a thing.

- Thomas

 

[quest100]

The cameras that are doing this are

IPC-HDBW81230E-Z (1 of 1)
IPC-HDW5231R-ZE
HFW5231E-Z12E
437-LPR

None of the following cameras have tried to access this address

IPC-Color4K
SD5A425XA-HNR
IPC-B5442E-Z4E
IPC-HFW4239T-ASE

I don't believe that the UniFi UDM router has ad blocking nor would it be turned on.

 

[Mike A.]

The only one of those that are doing it that I have is the 5231. Don't see it now with pfSense/ntopng. Don't recall ever seeing it with any of the other monitoring that I've done and I've watched them quite a bit. Maybe run WireShark and see what's actually coming from the cams?

ETA: Ahhh... search for Unifi and 203.0.113.2 and you'll see some things. Likely what it is.

 

[quest100]

Most of the pages containing UniFi and 203.0.113 seem to be properly using the address as an example address while setting up a UniFi machine - mostly an EdgeRouter-X. The few others that I saw were about a failure while using an alternative dns server.

Nothing that I saw would lead to a camera trying to call out to any address, let alone a bogus address. The firewall rule that is blocking the access is after one that allows the cameras access to the BI computer and another computer that I use for directly accessing the cameras.

I may try WireShark in a few days - I’ve never used it and not sure if I want to begin. Probably should learn the basics of it.

 

[Mike A.]

They seem to use the range of 203.0.113.0/24 as part of their DNS and content filtering.

UI-Team
3 years ago

203.0.113.0/24 is a non routable private network and is used by dnsfilter/content filter . The original usage is for documentation so it should not be used to cross over internet and should not be BGP advertised, so it is impossible to be used by any botnet in the planet.

Posted by
u/dbhathcock
1 year ago
203.0.113.1

Question
Many others have posted about this IP Address showing up in their list of IP addresses in WIFiMan. This is supposed to be a non-routable IP address supposedly used for dnsfilter...

level 1
UI-Marcus
·1 yr. ago

This is not a vulnerability. It is just another IP Alias for your gateway that is used when you have content filtering enabled to reroute DNS traffic. If you don't want this IP to be active you just need disable content filtering for all networks that may have it enabled.

In short choose None, instead of Family or Work on content filtering.

The cams likely are trying to make some call out (which various Dahua cams/firmware will do) but that's why it's directed to that IP in your Unifi system.

 

[quest100]

You are probably correct. I did not dig deeply enough.

On a Reddit thread <> a user complained that typing in this address allowed anyone in the local network to access the UDM router - even if on a (V)LAN that prohibits accessing the UDM. The official UI response was

This is not a vulnerability. It is just another IP Alias for your gateway that is used when you have content filtering enabled to reroute DNS traffic. If you don't want this IP to be active you just need disable content filtering for all networks that may have it enabled.

It seems completely bizarre that the UDM would then complain that the camera was trying to access this fictional address instead whatever the original request happened to be.

I tried using Wireshark to look at what was happening and got nothing. This is because the Wireshark computer is on a different subnet than the cameras and the switch does not route any camera traffic where not needed. If I logged into a camera the Wireshark immediately saw thousands of packets. Also, I tried opening up a browser window at the 203.0.113.1 address and was able to log onto the UDM - not restricted to DNS enquires as implied by the UI response above. Seems like a security vulnerability as stated in the Reddit thread.

 

[Mike A.]

I wouldn't worry about it too much as long as you have the cams blocked from the Internet in some way. You might go through and double check that you don't have any of the services, P2P, etc., turned on in the cam. Also can change the DNS/gateway in the cam to point to its own IP. That might keep some of the noise out of your logs. I know in some firmware for that one screen that lists various services there's an enable checkbox at the top which would make you think that unchecking it would disable all of the services listed below. But it doesn't. You have to uncheck each of the services listed.

The irony is that at least some of the Unifi stuff also phones home. ; )