Is the Nx Cloud up? Visit our Status Page for the current health and performance of the Nx Cloud.

Status Page

How can we do to block Replay Attack

Answered
Chung I-Chia

Dear Developer,

We recently discovered that  attackers used  replay attack to access Nx server.

Is there any solution can block  attackers?

The Following is packet information we intercepted.

 

0

Comments

4 comments

Date Votes
  • Wendy Chuang
    • Network Optix team
    Edited

    Hi Chung,

    I'm sorry that I cannot give any suggestion for your case since the information is not enough for us.
    In the screenshot, I only see the 54.208.x.x IP call the PTZ API.
    If the server port is opened and allowed to access over Internet, you might set up the firewall rule (on your Gateway device) to block the rogue IP and prevent your server from being attacked. 

    Let me know if further assistant is required, thank you.

    0
  • Norman
    • Network Optix team

    Hi Chung I-Chia,

    Some assumptions here. 

    You connect to the system via our Nx Cloud portal. 
    And the IP addresses (54.208.182.145 and 54.208.160.177) you see are from Amazon (Link 1 and Link 2). 
    Amazon is our partner where we host our Nx Cloud instance. If your network doesn't allow NAT traversal connection, it will shift to a proxy connection and these packets will appear in Wireshark. 

    But if my assumptions are wrong, most likely your login credentials are compromised and I would recommend doing the following; 

    1. Open the System Administration menu (Ctrl+Alt+A), tab General on the Nx Witness Desktop client. 
    2. Look for Only allow secure connections and optional Encrypt video traffic. 
    3. Change the login credentials for at least the compromised user. 

     

    0
  • Chung I-Chia

    Dear Wendy Chuang and Norman Graafsma,

    1. In the first picture. When a user uses PTZ command to control the camera, it is possible that Amazon will send another PTZ command at the end, causing the camera to be moved to an incorrect position.(Far left, right or bottom).The following picture is more information about the packet.

    2. The following is our current detected IP Address.

    18.209.100.47, 18.212.24.175, 18.234.227.98, 3.81.39.35, 3.82.11.226, 3.83.113.100, 3.88.226.178, 3.88.39.44, 3.89.138.241, 3.95.153.142, 34.214.164.145, 34.216.84.215, 34.217.118.199, 34.229.214.52, 34.229.96.96, 34.229.98.96, 34.238.118.149, 52.12.101.44, 52.90.45.95, 54.157.208.23, 54.166.78.231, 54.198.113.68, 54.198.56.111, 54.244.182.223

    All of them are Amazon ,so they are not attackers?

    The packets we currently receive are all from one user and the other is Amazon and their verification is the same.

    Use  Nx Cloud will receive two packets? But Not every packet will be copied.

    Thanks for your response.

    0
  • Norman
    • Network Optix team

    Hi Chung I-Chia,

    1. Amazon doesn't send anything. In case of a proxy connection, the commands are routed through Amazon. 
      If you want to be sure what is going on, you should run Wireshark on the server and on the client and compare the packets that were sent and received from each side towards each other.
    2. I checked a few, not all, and the all seem to be Amazon. https://whatismyipaddress.com/ip-lookup

    I can't tell the number of packet you should see or not without knowing the content of the capture. Feel free to share the capture file. Investigating it from an image is impossible. 

    Assuming it is a TCP 3-way handshake, it is fair to assume you should have two packets on one side (SYN and ACK) and one on the other. (SYN, ACK). 

     

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post