Friday, 20 January 2017

What's talking to what?

The recent broadband issues we've been having exposed me to some of the network diagnostic capabilities of our router. One of which is a table of sessions the router is managing between devices in our home and the big wide internet. I made the mistake of delving into this a little deeper, with the result that I'm now paranoid about what servers on the internet my smart home systems are talking to on a regular basis.


Unfortunately the router's sessions table lists only which internal IP addresses are talking with which external IP addresses. Converting the internal addresses is relatively straight forward, as I've set up the router to bind all of the expected devices on the network to specific IP addresses. For the external IP addresses a reverse DNS is required to find out who owns them and where they are. I used www.ipinfo.io manually for several reverse DNS enquiries, until I noticed that it offers an API to process IP addresses, at which point I decided to write a Python script to automate the whole analysis.

The code is fairly straight forward. First read in the IP binding list from file and build a dictionary with the device names and internal IP addresses. Then read in the sessions, again from file, and parse each line to extract the internal IP address and external IP address into a list. Converting this list to a set effectively eliminates any duplicates. Then send a call off to ipinfo.io with each external IP address from the set to get a JSON response, from which the organisation and location of each IP address can be extracted. And finally create a CSV file to dump out the resultant list of internal device names and external organisations. The results look something like this:


All of this looks pretty much okay. Our HP printer talks to HP servers (and only HP's servers, it is nice to see) as we've got cloud printing turned on. It is slightly interesting to see that Philips are using Rackspace to host their Hue system back-end, but not totally surprising. I'd not come across Google's use of the 1e100.net domain name, but a quick search reveals that Google consolidated their back-end systems under a single domain back in 2009. 1e100 is the scientific notation for 1 googol. And the various devices talking to BT is also expected, as BT provide our broadband (sometimes).

The stuff I'm not so happy about is my IP cameras. They're chatting away with a whole range of people which don't immediately seem relevant. One of the IP cameras is even talking to NIST in Boulder, Colorado. Another appears to have ambitions of becoming an autonomous car when it grows up, as it is connecting to www.quickdrivingtestcancellations.net to arrange a driving test. The only two things outside my network I want my IP camera talking to are an NTP time server, and an email server. So I think I might enable these on my NAS to send all that traffic through one pipe, and block all other traffic using the router's firewall.

No comments:

Post a Comment