Question

Hi, we've got 3 x RUT240 routers with SIM cards with limited data tariffs. Over the last couple of weeks they have started to use a lot

of data, and I've found this to be several hundred constant UDP packets going to:

ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 which turns out to be the Teltonika RMS.

The RUT240 devices are running RUT2_R_00.07.04. The firmware started at 01.13.2 up to 01.14.6 and the issues have been on all versions.

No one else has access, we've got decent security and passwords. Disabled the 1 device connected to LAN and it still does it.

We've got a fair few other routers with similar setups, ranging from RUT240 to RUTX11 and only these 3 are causing issues.

Screenshots attached. Please help! Francesco.

Comments

Here's some of the UDP requests:

IPV4 UDP 168.232.247.153:39705 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 42.32 KB (93 Pkts.)

IPV4 UDP 168.232.247.32:14802 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 41.87 KB (86 Pkts.)

IPV4 UDP 168.232.247.150:59364 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 41.80 KB (85 Pkts.)

IPV4 UDP 168.232.247.212:45995 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 41.13 KB (91 Pkts.)

IPV4 UDP 168.232.246.108:49254 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 41.00 KB (89 Pkts.)

IPV4 UDP 168.232.246.46:30455 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 40.74 KB (85 Pkts.)

IPV4 UDP 168.232.246.105:12100 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 39.67 KB (85 Pkts.)

IPV4 UDP 170.78.224.136:14709 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 68.30 KB (136 Pkts.)

IPV4 UDP 170.78.225.60:19865 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 66.73 KB (139 Pkts.)

IPV4 UDP 170.78.224.15:65200 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 61.81 KB (129 Pkts.)

IPV4 UDP 170.78.225.1:27292 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 59.86 KB (123 Pkts.)

IPV4 UDP 170.78.225.122:47800 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 59.29 KB (126 Pkts.)

IPV4 UDP 170.78.224.77:25537 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 55.51 KB (136 Pkts.)

IPV4 UDP 170.78.224.74:34489 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 54.66 KB (105 Pkts.)

IPV4 UDP 170.78.225.243:13693 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 53.04 KB (134 Pkts.)

IPV4 UDP 170.78.224.226:12837 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 52.84 KB (107 Pkts.)

IPV4 TCP ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:51276 18.192.27.240:20080 1.97 MB (3237 Pkts.)

IPV4 UDP 170.78.231.29:55139 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 22.52 KB (51 Pkts.)

IPV4 UDP 170.79.98.226:12837 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 12.37 KB (59 Pkts.)

IPV4 UDP 170.79.99.150:59364 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 12.29 KB (107 Pkts.)

IPV4 UDP 170.79.96.15:65200 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 11.11 KB (56 Pkts.)

IPV4 UDP 170.79.97.240:26483 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 10.43 KB (62 Pkts.)

IPV4 UDP 170.79.99.32:14802 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 10.22 KB (108 Pkts.)

IPV4 UDP 170.79.97.60:19865 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 10.17 KB (58 Pkts.)

IPV4 UDP 170.79.98.105:12100 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 9.72 KB (51 Pkts.)

IPV4 UDP 170.79.99.29:55139 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 8.70 KB (101 Pkts.)

IPV4 UDP 170.79.99.153:39705 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 8.02 KB (107 Pkts.)

IPV4 UDP 170.79.96.195:11410 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 7.84 KB (55 Pkts.)

IPV4 UDP 170.79.165.184:12055 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 7.63 KB (101 Pkts.)

IPV4 UDP 170.78.230.164:13303 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 7.57 KB (18 Pkts.)

IPV4 UDP 170.79.164.139:65049 ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:53 7.57 KB (100 Pkts.)

IPV4 TCP ec2-18-196-62-30.eu-central-1.compute.amazonaws.com:55284 18.196.62.30:15010 7.09 KB (43 Pkts.)

IPV4 UDP 170.79.99.212:45995 ec2-18-196-62-30.eu-central-1.compute.amazonaws.com:53 7.08 KB (109 Pkts.)

IPV4 UDP 170.79.165.63:40569 ec2-18-196-62-30.eu-central-1.compute.amazonaws.com:53 6.98 KB (91 Pkts.)

IPV4 UDP 170.79.97.181:42048 ec2-18-196-62-30.eu-central-1.compute.amazonaws.com:53 6.97 KB (58 Pkts.)

Thanks.

Answer 1

Hello,

It is not that the traffic is generated by RMS. It is only forwarded to RMS, port 53, which is the default port used by DNS service.

The question is what are all those 170.x.y.z and 168.x.y.z IP addresses?

UDP protocol is used by RMS VPN hub service, but only with port numbers starting from 30000, yet there are lesser numbers. Are you using VPN HUB?

Have you tried to reset any of the devices to factory default settings and check, if this traffic keeps on going? 

Could you download TCPdump from router's WebUI Services -> Package manager -> Packages and enable TCP dump monitoring in System -> Administration -> Troubleshoot page specifying UDP protocol and mobile interface? Then download this file and attach it by editing your question.

Also, is there any particular reason why are you using legacy firmware instead of the current RutOS?

Best regards,

  

Comments

Hi there, many thanks for the reply.

We don't use the RMS VPN hub and all other VPN services are turned off. There's no untoward rules or anything else I haven't set up.

I haven't as yet tried a reset and setup as the routers are on remote sites. I can try that next week though on one.

I checked those addresses as there's several, and they all are marked as being in Brazil. The routers are in the UK.

Attached TCPDump file after leaving it a few minutes above. Let me know if I need to leave it longer.

The routers all have the latest RUTOS 07.04 at the moment. The issue happened as well on legacy firmwares previously.

Many thanks, Francesco.

---

Hi,

I am also seeing data to a Datacentre based in Germany: 

IPV4 TCP ec2-18-192-27-240.eu-central-1.compute.amazonaws.com:37270 18.192.27.240:20080 39.64 MB (44629 Pkts.)

IPV4 TCP ec2-18-196-62-30.eu-central-1.compute.amazonaws.com:55284 18.196.62.30:15010 83.48 KB (927 Pkts.)

IPV4 UDP 177.128.162.167:20587 ec2-18-196-62-30.eu-central-1.compute.amazonaws.com:53 16.75 KB (110 Pkts.)

This also looks like the RMS to me. The updates are set to use hardly any data at all (Under 500KB a month), so can't see how it is using 40MB in a few minutes.

Many thanks.

---

The data center based in Germany is where RMS servers are located and 18.192.27.240:20080 refers to remote HTTP access service of RMS Connect. It either indicates traffic to reach the device over HTTP or some other device behind your RUT240.

Best regards,

---

Hi,

Today I replaced the RUT240 with another RUT240, same firmware, same SIM card, same connected devices and same configuration but setup from scratch - it's fine. Up to 10 UDP packets like it should be, and no strange traffic.

What could cause all of that please? Just the router malfunctioning? Something more malicious that I couldn't find?

Many thanks.

---

You issue looks more like abnormal activity.

All of the queries are for the domain higi.com, and the device was continuously requesting for all of the records the server has as well as forwarding them to all available nameservers in the device.

Device reset to factory defaults might have helped.

As for why this has happened, I cannot tell. Other than traffic from RMS services you use and keepalive packets, there should not be additional data usage, once the connection to RMS is established.

Best regards,