Asuswrt-Merlin 384.6 traffic to TCP/5061 and UDP/3478

[Choas]

Hi,

Currently I am running Asuswrt-Merlin 384.6 on an Asus RT-AC68U in access point mode.
I like it a lot. Thanks! (I just donated).
The router part is taken care of by pfSense on a small PC.
pfSense reports that the RT-AC68U is sending the following packets to hosts on the internet:

TCP Syn to port 5061 (SIP/Voip ?) to:
13.229.26.78 (ec2-13-229-26-78.ap-southeast-1.compute.amazonaws.com)
13.250.235.36 (ec2-13-250-235-36.ap-southeast-1.compute.amazonaws.com)
According to nmap service detection, there is an Asus service running here.

UDP datagram to port 3478 (STUN) to 210.65.113.163 (no DNS entry)

Does anyone know what it is doing and why on such obscure destination ports?
Thanks!


Best regards,
Choas

 

[M@rco]

Not sure whether any of the AIProtection or QoS (or other related services) can be used in AP mode, but if you have opted in with Asus and/or Trend Micro ToS, then that might be the cause.

 

[Grisu]

Not sure whether any of the AIProtection or QoS (or other related services) can be used in AP mode, but if you have opted in with Asus and/or Trend Micro ToS, then that might be the cause.

not in AP-mode

 

[Choas]

Thanks for your responses.

I have some more information.

I did a bit of nmapping:

13.229.26.78:
5061/tcp open ssl/sip-proxy OpenSIPS SIP Server 1.8.6-tls (x86_64/linux)

52.220.138.165:
5061/tcp filtered sip-tls

13.250.235.36:
PORT STATE SERVICE VERSION
5061/tcp open ssl/sip-proxy OpenSIPS SIP Server 1.8.6-tls (x86_64/linux)

NMapping these three hosts also shows:
80/tcp open http
443/tcp open https
3306/tcp closed mysql

When I try https from a browser it just responds with "Hello~"
The invalid certificate for all three hosts shows the following:

C = US
O = Bitdefender
OU = IDS
CN = Untrusted Bitdefender CA
CN = ip-172-30-0-74.ap-southeast-1.compute.internal

where I assume IDS = Intrusion Detection System (like Snort, which I do run on the pfSense box but has nothing to do with Bitdefender afaik).

Since I use BitDefender on one laptop, I thought that's the source. However, the laptop is assigned the pfSense box as a default gateway.
The traffic would have originated from my laptop's ip address instead.
Additionally, the Asus is in AP mode and pfSense logs the Asus RT-AC68U being the source of the traffic.

Regarding the STUN UDP traffic to 210.65.113.163, nmap says:

3478/udp open|filtered stun
80/tcp open http-proxy Squid http proxy 3.5.27

This could of course be the way the Asus firmware tries to detect the "real" external ip.

Does this extra info ring a bell to anyone?
It's not that I distrust the firmware, I am just curious.


Regards,
Choas

 

[RMerlin]

I suspect this is tied to Asus's "asusnat tunnel" service which is used for AiHome support, however I don't have any additional details.

 

[Choas]

Hi RMerlin,

Asusnat tunnel was indeed still enabled.
I just disabled it via Tools -> Other Settings -> Advanced Tweaks and Hacks.
After a reboot, the traffic seems to be gone.

Thanks for building in that option!

 

[M@rco]

I suspect this is tied to Asus's "asusnat tunnel" service which is used for AiHome support, however I don't have any additional details.

Now I'm getting curious as to what kind of data is exactly being transmitted, as I was assuming that without agreeing to any ToS or EULA there wouldn't be any data send back to Asus...

 

[develox]

Discussed also here:

https://www.snbforums.com/threads/what-tls-traffic-did-384-5-introduced-towards-asuscloud-com-on-tcp-port-5601.46641/

 

[Choas]

Now I'm getting curious as to what kind of data is exactly being transmitted, as I was assuming that without agreeing to any ToS or EULA there wouldn't be any data send back to Asus...

I didn't bother to capture the traffic and I just disabled Asus NAT tunnel.
In case you want to spend the effort, please share your findings