Router Security Peplink Audit Trail Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
See my new website: DefensiveComputingChecklist.com
 

The Event Log from one Peplink router auditing another

This test was done in March 2020 using firmware 8.0.2. It was not the first time I have run a test like this on a Peplink/Pepwave router, but it had been a long time between tests. The last test also showed that that the router does not phone home to Peplink. Many, probably most, routers do report back to their manufacturer. Synology is the worst I have seen at that, their router was constantly communicating with them despite my best efforts. Many routers require you to have an account with the manufacturer. Peplink does not.

The test was done by connecting the WAN port of the router being audited, the inner router if you will (a Surf SOHO) to a LAN port of the outer router (also a Surf SOHO). The outer router logged every outgoing connection made by the inner router (IP address 192.168.7.77). What you see below is the Event Log from the outer router. No devices were using the inner router at all. InControl2, the Peplink cloud service, was disabled on the inner router.

At first, I found many outbound connections to IP address 8.8.8.8 on port 443. I had not seen this on previous activity audits. The IP address is the public Google DNS server. I asked the Peplink Forum about this and got a response the same day. Those connections are part of a WAN Quality monitoring feature. In firmware 8.0.2 WAN Quality monitoring is on by default. When I turned the feature off, all connections to IP address 8.8.8.8 stopped. For details see the Forum posting Firmware 8.0.2 phones home to Google every 10 seconds.

I ran this test for more than two days. Two nights in a row, there was an outbound connection at 3:10AM to port 443 (SSL/tLS) to two Cloudflare IP addresses (104.25.204.4 and 104.25.205.4). According to Peplink, the IP addresses belong to download.peplink.com from which the router downloads updates to various databases: CA certificates (for making verified secured TLS connection), Geo and SaaS firewall rules and updates to the Content Blocking categories. There does not seem to be a way to block these updates other than blocking the domain name or the IP address. Below are the (slightly edited) firewall log entries.

Mar 22 03:10:02 CONN=lan SRC=192.168.7.77 DST=104.25.204.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=12571 DF PROTO=TCP SPT=49005 DPT=443 WINDOW=5600 RES=0x00 SYN URGP=0 MARK=0x2

Mar 23 03:10:02 CONN=lan SRC=192.168.7.77 DST=104.25.205.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=31629 DF PROTO=TCP SPT=47967 DPT=443 WINDOW=5600 RES=0x00 SYN URGP=0 MARK=0x2

The rest is shown below. The router phones home for the Time of Day every 30 minutes. It makes UDP requests to port 123, standard fare for the Time of Day service. Each time, it makes four requests. It was using the default time server, 0.pepwave.pool.ntp.org. You can use any time server you prefer.

NOTES: My audit ran for over two days, only a few hours are shown here because the rest is just more of the same. In the listing below DPT is Destination Port and DST is the Destination IP address. SRC is the IP address of the router being audited. From the perspective of the router doing the auditing (the outer one) it is just another device on the LAN and thus has a LAN side IP address.


Mar 20 21:26:00 CONN=lan SRC=192.168.7.77 DST=216.229.4.69 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=49871 DPT=123 LEN=56 MARK=0x2
Mar 20 21:26:00 CONN=lan SRC=192.168.7.77 DST=50.205.244.39 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=49871 DPT=123 LEN=56 MARK=0x2
Mar 20 21:26:00 CONN=lan SRC=192.168.7.77 DST=23.129.64.159 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=49871 DPT=123 LEN=56 MARK=0x2
Mar 20 21:26:00 CONN=lan SRC=192.168.7.77 DST=216.126.233.109 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=49871 DPT=123 LEN=56 MARK=0x2

Mar 20 20:55:53 CONN=lan SRC=192.168.7.77 DST=23.152.160.126 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=44276 DPT=123 LEN=56 MARK=0x2
Mar 20 20:55:53 CONN=lan SRC=192.168.7.77 DST=74.122.204.3 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=44276 DPT=123 LEN=56 MARK=0x2
Mar 20 20:55:53 CONN=lan SRC=192.168.7.77 DST=108.61.56.35 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=44276 DPT=123 LEN=56 MARK=0x2
Mar 20 20:55:53 CONN=lan SRC=192.168.7.77 DST=74.208.235.60 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=44276 DPT=123 LEN=56 MARK=0x2

Mar 20 20:25:46 CONN=lan SRC=192.168.7.77 DST=50.18.44.198 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=49345 DPT=123 LEN=56 MARK=0x2
Mar 20 20:25:46 CONN=lan SRC=192.168.7.77 DST=23.31.21.164 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=49345 DPT=123 LEN=56 MARK=0x2
Mar 20 20:25:46 CONN=lan SRC=192.168.7.77 DST=72.87.88.203 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=49345 DPT=123 LEN=56 MARK=0x2
Mar 20 20:25:46 CONN=lan SRC=192.168.7.77 DST=162.159.200.123 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=49345 DPT=123 LEN=56 MARK=0x2

Mar 20 19:55:39 CONN=lan SRC=192.168.7.77 DST=45.79.1.70 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=54383 DPT=123 LEN=56 MARK=0x2
Mar 20 19:55:39 CONN=lan SRC=192.168.7.77 DST=74.6.168.73 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=54383 DPT=123 LEN=56 MARK=0x2
Mar 20 19:55:39 CONN=lan SRC=192.168.7.77 DST=54.236.224.171 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=54383 DPT=123 LEN=56 MARK=0x2
Mar 20 19:55:38 CONN=lan SRC=192.168.7.77 DST=72.14.183.239 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=54383 DPT=123 LEN=56 MARK=0x2

Mar 20 19:25:32 CONN=lan SRC=192.168.7.77 DST=158.51.134.123 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=34256 DPT=123 LEN=56 MARK=0x2
Mar 20 19:25:32 CONN=lan SRC=192.168.7.77 DST=140.82.60.75 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=34256 DPT=123 LEN=56 MARK=0x2
Mar 20 19:25:31 CONN=lan SRC=192.168.7.77 DST=138.68.46.177 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=34256 DPT=123 LEN=56 MARK=0x2
Mar 20 19:25:31 CONN=lan SRC=192.168.7.77 DST=23.31.21.163 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=34256 DPT=123 LEN=56 MARK=0x2

Mar 20 18:55:25 CONN=lan SRC=192.168.7.77 DST=198.60.22.240 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51349 DPT=123 LEN=56 MARK=0x2
Mar 20 18:55:24 CONN=lan SRC=192.168.7.77 DST=47.190.36.235 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51349 DPT=123 LEN=56 MARK=0x2
Mar 20 18:55:24 CONN=lan SRC=192.168.7.77 DST=138.236.128.112 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51349 DPT=123 LEN=56 MARK=0x2
Mar 20 18:55:24 CONN=lan SRC=192.168.7.77 DST=193.29.63.150 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=51349 DPT=123 LEN=56 MARK=0x2

Mar 20 18:25:18 CONN=lan SRC=192.168.7.77 DST=69.164.198.192 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=60381 DPT=123 LEN=56 MARK=0x2
Mar 20 18:25:17 CONN=lan SRC=192.168.7.77 DST=108.53.168.46 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=60381 DPT=123 LEN=56 MARK=0x2
Mar 20 18:25:17 CONN=lan SRC=192.168.7.77 DST=206.55.191.142 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=60381 DPT=123 LEN=56 MARK=0x2
Mar 20 18:25:17 CONN=lan SRC=192.168.7.77 DST=69.89.207.199 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=60381 DPT=123 LEN=56 MARK=0x2

Mar 20 17:55:10 CONN=lan SRC=192.168.7.77 DST=165.22.39.103 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=45355 DPT=123 LEN=56 MARK=0x2
Mar 20 17:55:10 CONN=lan SRC=192.168.7.77 DST=45.79.36.123 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=45355 DPT=123 LEN=56 MARK=0x2
Mar 20 17:55:10 CONN=lan SRC=192.168.7.77 DST=216.229.0.49 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=45355 DPT=123 LEN=56 MARK=0x2
Mar 20 17:55:10 CONN=lan SRC=192.168.7.77 DST=23.31.21.163 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=45355 DPT=123 LEN=56 MARK=0x2

Mar 20 17:25:03 CONN=lan SRC=192.168.7.77 DST=138.236.128.112 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=36982 DPT=123 LEN=56 MARK=0x2
Mar 20 17:25:03 CONN=lan SRC=192.168.7.77 DST=45.76.244.202 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=36982 DPT=123 LEN=56 MARK=0x2
Mar 20 17:25:03 CONN=lan SRC=192.168.7.77 DST=204.11.201.10 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=36982 DPT=123 LEN=56 MARK=0x2
Mar 20 17:25:02 CONN=lan SRC=192.168.7.77 DST=206.55.191.142 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=36982 DPT=123 LEN=56 MARK=0x2

Mar 20 16:54:56 CONN=lan SRC=192.168.7.77 DST=64.22.253.155 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=37815 DPT=123 LEN=56 MARK=0x2
Mar 20 16:54:56 CONN=lan SRC=192.168.7.77 DST=204.93.207.12 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=37815 DPT=123 LEN=56 MARK=0x2
Mar 20 16:54:56 CONN=lan SRC=192.168.7.77 DST=129.250.35.250 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=37815 DPT=123 LEN=56 MARK=0x2
Mar 20 16:54:55 CONN=lan SRC=192.168.7.77 DST=162.159.200.1 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=37815 DPT=123 LEN=56 MARK=0x2

Mar 20 16:24:48 CONN=lan SRC=192.168.7.77 DST=185.117.82.70 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=40946 DPT=123 LEN=56 MARK=0x2
Mar 20 16:24:47 CONN=lan SRC=192.168.7.77 DST=178.79.160.57 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=40946 DPT=123 LEN=56 MARK=0x2
Mar 20 16:24:47 CONN=lan SRC=192.168.7.77 DST=85.114.128.137 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=40946 DPT=123 LEN=56 MARK=0x2
Mar 20 16:24:47 CONN=lan SRC=192.168.7.77 DST=88.212.196.95 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=40946 DPT=123 LEN=56 MARK=0x2

Top 
This page was last updated: March 24, 2020 1AM CT     
Created: March 20, 2020
Viewed 968 times since March 21, 2020
(5/day over 193 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2020