New Cisco 1832 constant traffic to NSA?

[mynameisjuan]

So I work for an ISP as a tier 2 and was working on playing around with our new Cisco 1832 AP's. During my testing I always have wireshark open because I am just interested in traffic. So after trying to put the AP's in autonomous mode (which is impossible now) I noticed some odd traffic..... Off the network completely during testing, I assigned the AP a management IP of 192.168.50.2. Ok I began to see packet captures from the AP...

 

But then I noticed something else. I noticed a192.168.0.8 address from the AP requesting ARP for 6.0.0.1. That IP is part of the block for the National security of defense. I was like what the fuck is it sending. I did a show run and no where in the config was any reference to 192.168.0.8, no where. Where the hell was this IP coming from? It has to be hardware on the AP that I dont have access to because the MAC was a bit off from the actual ETH0 MAC. But every 5 mins it was constantly trying to reach out.

 

I just thought Id share this because with the gigs of traffic I see a day I have always been skeptical of NSA is watching, there just too much shit to monitor....But after this, it looks like cisco is maybe tied to the government in some way? I dont have the packet captures on this PC but will share them when I am back in the office. The packet captures are basic though as its just trying to discover, no information  in them.

 

It doesnt worry me at all but it is interesting stuff, or scary on how you look at it. But this could be just a huge tin foil hat observation lol. I just found this odd that a basic AP is trying to reach a government block. 

[Sir Asvald]

@Lurick  Explain 

 

/s 

 

That is weird..  So the 192.168.0.8 is not part of your network? Someone my be visiting the website?

 

[Leonard]

Man this is just more proof of the whole internet having now become weaponized and while i would agree that there are fools who deserve to have no privacy because they are only interested in spoiling life, not everyone is like that.

 

I feel that Cisco is not tied to the government but to the agreements that they signed in the past and recently, which is why most if not all router/modem/switch vendors are stopping a end user from using 3rd party firmware and from accessing the terminal.

 

Buffalotech was a company i liked and respected how they provided hardware for the end user but as of mid 2015 they sent an update to routers which "locked" down routers from being able to have 3rd party firmware installed and said that they were forced to do so. At the end of 2016 they started to prevent a end user from opening the router and accessing the 4-pin terminal with PuttY or other by gluing the router together with a glue that almost doesn't soften. 

 

Now this is just one aspect, there is also the WIFI chips themselves having backdoors, back in 2013 TP-link had these issues and the blame was thrown back and forth.

 

It would be nice to see if you flag that 192.168.0.8 as blocked it a new one arises.

[mynameisjuan]

45 minutes ago, Abdul201588 said:

That is weird..  So the 192.168.0.8 is not part of your network? Someone my be visiting the website?

No that is not part of our network at all. During this process I am off our main network and I even ran a capture without the AP for about 30 mins and no traffic was there. It was coming from the Ciscos MAC. I just wish I could find on the AP what is giving it this IP be it hardware or software not meant for the public. 

[mynameisjuan]

3 minutes ago, Leonard said:

It would be nice to see if you flag that 192.168.0.8 as blocked it a new one arises.

I would be interested in that too. At this point I will not put the AP on the network because I want to look into this more. As of now the AP has yet still to reach the IP as its not connected but after a few hours it was still trying to reach out on that IP with no change. Come a few days later I will see. 

[Lurick]

I'm curious about this now. I've run plenty of captures but never seen this from an AP. I'd love to see some captures

[Leonard]

2 minutes ago, mynameisjuan said:

I would be interested in that too. At this point I will not put the AP on the network because I want to look into this more. As of now the AP has yet still to reach the IP as its not connected but after a few hours it was still trying to reach out on that IP with no change. Come a few days later I will see. 

Please update your findings if you can.

[mynameisjuan]

Just now, Lurick said:

I'm curious about this now. I've run plenty of captures but never seen this from an AP. I'd love to see some captures

Neither have I!!!! Thats why I made this post because this is new. First thing Mon when back in the office I will have them for you!! 

[mynameisjuan]

By the way this post is probably monitored as fuck right now even though its just about an AP trying to reach an IP. So if I disappear you know why my dudes. 

 

Ugh, paranoia is real right now even though I was just trying to put a god damn AP in autonomous mode! Thats all I wanted!!! haha

[Levisallanon]

It seems another series of AP's had a problem where this IP also did something.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc63790/?referring_site=bugquickviewredir

it says in the details the bug was fixes in the nov 19 release of the frimware for this AP.
So maybe try updating your firmware first to see if this still remains. Could be there might have been some problem with the firmware.
When looking at some cisco examples the 6.0.0.1 IP adress sometimes is uses in examples for tunneling.
The 6.0.0.0 block is used by the Army Information Systems Center. This looks to be a very important group, maybe it's checking for a certificate here for something.

[Donut417]

7 hours ago, mynameisjuan said:

So I work for an ISP as a tier 2 and was working on playing around with our new Cisco 1832 AP's. During my testing I always have wireshark open because I am just interested in traffic. So after trying to put the AP's in autonomous mode (which is impossible now) I noticed some odd traffic..... Off the network completely during testing, I assigned the AP a management IP of 192.168.50.2. Ok I began to see packet captures from the AP...

 

But then I noticed something else. I noticed a192.168.0.8 address from the AP requesting ARP for 6.0.0.1. That IP is part of the block for the National security of defense. I was like what the fuck is it sending. I did a show run and no where in the config was any reference to 192.168.0.8, no where. Where the hell was this IP coming from? It has to be hardware on the AP that I dont have access to because the MAC was a bit off from the actual ETH0 MAC. But every 5 mins it was constantly trying to reach out.

 

I just thought Id share this because with the gigs of traffic I see a day I have always been skeptical of NSA is watching, there just too much shit to monitor....But after this, it looks like cisco is maybe tied to the government in some way? I dont have the packet captures on this PC but will share them when I am back in the office. The packet captures are basic though as its just trying to discover, no information  in them.

 

It doesnt worry me at all but it is interesting stuff, or scary on how you look at it. But this could be just a huge tin foil hat observation lol. I just found this odd that a basic AP is trying to reach a government block. 

If you look up the coordinates in Google Maps, its in the middle of no where. Possibly one of those facilities that the NSA sends all the telecommunications data to, for their domestic surveillance programs. Honestly I doubt its CISCO. Its most likely your employer giving the government data. Remember AT&T got a lot of press a few years ago, with them allowing the NSA to install things on their network for surveillance. There is suppose to be a large data center in Utah that the NSA was using the store all the data they collect. 

[mynameisjuan]

2 hours ago, Levisallanon said:

It seems another series of AP's had a problem where this IP also did something.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc63790/?referring_site=bugquickviewredir

it says in the details the bug was fixes in the nov 19 release of the frimware for this AP.
So maybe try updating your firmware first to see if this still remains. Could be there might have been some problem with the firmware.
When looking at some cisco examples the 6.0.0.1 IP adress sometimes is uses in examples for tunneling.
The 6.0.0.0 block is used by the Army Information Systems Center. This looks to be a very important group, maybe it's checking for a certificate here for something.

If it is a "bug" that was fixed, not quite sure why it was even there, even if used for tunneling. Like I said this is a brand new AP so I will try updating an see if it persist. Just found it odd, especially with not a single mention of it in the entire config. 

 

 

1 hour ago, Donut417 said:

If you look up the coordinates in Google Maps, its in the middle of no where. Possibly one of those facilities that the NSA sends all the telecommunications data to, for their domestic surveillance programs. Honestly I doubt its CISCO. Its most likely your employer giving the government data. Remember AT&T got a lot of press a few years ago, with them allowing the NSA to install things on their network for surveillance. There is suppose to be a large data center in Utah that the NSA was using the store all the data they collect. 

Its not my employer because our NOC is quite small and I have a say in a lot of the decisions. I wouldnt allow any of the data to be sent to them. Cisco would have approved this (if it is actually the government paying cisco) to have this in their image. 

[leadeater]

18 hours ago, mynameisjuan said:

I just thought Id share this because with the gigs of traffic I see a day I have always been skeptical of NSA is watching, there just too much shit to monitor....But after this, it looks like cisco is maybe tied to the government in some way? I dont have the packet captures on this PC but will share them when I am back in the office. The packet captures are basic though as its just trying to discover, no information  in them

Not the first time the NSA has intercepted Cisco devices in transit to customers and loaded on their own custom firmware. Backup the firmware and apply the latest, be interesting if that traffic stopped.

 

P.S. I was highly skeptical when I saw the thread title, BS alarm triggered so hard lol.

[mynameisjuan]

1 hour ago, leadeater said:

Not the first time the NSA has intercepted Cisco devices in transit to customers and loaded on their own custom firmware. Backup the firmware and apply the latest, be interesting if that traffic stopped.

 

P.S. I was highly skeptical when I saw the thread title, BS alarm triggered so hard lol.

Haha the title is def click bait worthy, but thats what I am trying to figure out. Could be a bug I guess, but its quite odd that that IP block would be used at all.

[Lurick]

Just now, mynameisjuan said:

Haha the title is def click bait worthy, but thats what I am trying to figure out. Could be a bug I guess, but its quite odd that that IP block would be used at all.

I could try to find a good contact in the wireless BU and shoot them an email and ask if you want

[mynameisjuan]

Packet capture as requested bois @Lurick @Leonard

 

As you notice the IP has changed to 192.168.0.101. This AP has just been running offline all weekend and I just hooked up and ran a capture, just another odd thing. 

 

[Sir Asvald]

5 minutes ago, mynameisjuan said:

Packet capture as requested bois @Lurick @Leonard

 

As you notice the IP has changed to 192.168.0.101. This AP has just been running offline all weekend and I just hooked up and ran a capture, just another odd thing. 

 

 

Can you ping the IP? and do a nslookup.

[mynameisjuan]

9 minutes ago, Abdul201588 said:

Can you ping the IP? and do a nslookup.

Nope it doesnt respond. Even while doing a constant ping I am still receiving ARP request so this interface apparently isnt meant to be talked to.

[Sir Asvald]

1 minute ago, mynameisjuan said:

Nope it doesnt respond. Even while doing a constant ping I am still receiving ARP request so this interface apparently isnt meant to be talked to.

What about nslookup?

[Lurick]

16 minutes ago, mynameisjuan said:

Packet capture as requested bois @Lurick @Leonard

 

As you notice the IP has changed to 192.168.0.101. This AP has just been running offline all weekend and I just hooked up and ran a capture, just another odd thing. 

I pulled up the internal bug information. It's a result of a bad code port from Meraki code into the mainline code for the non-Meraki APs

[Sir Asvald]

2 minutes ago, Lurick said:

I pulled up the internal bug information. It's a result of a bad code port from Meraki code into the mainline code for the non-Meraki APs

Fail

 

[Lurick]

Just now, Abdul201588 said:

Fail

 

Yah, it was supposed to be for an internal test and looks like they screwed it up

[mynameisjuan]

1 minute ago, Lurick said:

I pulled up the internal bug information. It's a result of a bad code port from Meraki code into the mainline code for the non-Meraki APs

So the Meraki's are reaching out  ahaha. 

 

But thats good that it is just a bug as Levisallanon said. I wonder if it was a copy pasta config which means that IP carried over or if it was a typo. Either way Ill get them updated this morning and stop worrying about it. Thanks guys!!!!!

[Lurick]

Just now, mynameisjuan said:

So the Meraki's are reaching out  ahaha. 

 

But thats good that it is just a bug as Levisallanon said. I wonder if it was a copy pasta config which means that IP carried over or if it was a typo. Either way Ill get them updated this morning and stop worrying about it. Thanks guys!!!!!

Yah, Meraki is supposed to reach out to the cloud and whatnot and I'm sure we have an internal test server with that address that they failed to remove. I'm still not a fan of it being an always on style device but for some people it's easier to cloud manage so it makes sense.

I couldn't find anything on if they just failed at copy paste or it was a typo though

[PixelFray]

Well! That's not creepy at allll..........