BlueIris.exe constantly sending to Amazon AWS ec2 instances

locus101
Posts: 8
Joined: Mon Mar 04, 2024 5:49 am

BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by locus101 »

Picked up on my firewall a lot of traffic from my BI5 server to different Amazon AWS instances. In one day it was 10G. I put tcpview on the machine and traced it to BlueIris.exe. I watched it for about 30 minutes and it sent up almost 3G in that time to this server on AWS: ec2-44-229-182-9.us-west-2.compute.amazonaws.com. It sent all that traffic, then seemed to terminate that process, restart, and start sending again...and again and again. Each time of course tcpview's sent bytes counter gets reset. I dont think that is the only AWS instance its sending too either. I saw large amounts of traffic going to other ip's at amazon from the BI server, prior to investigating this.

Edit: Its not terminating the blueiris.exe process and restarting....its terminating the connection to the aws server and reopening it, or moving to a different aws server. The pid itself of course never terminates.

I do access from my phone when Im away...but I dont think that would cause that much traffic. And why would it be routed through aws anyway?

This is ALL outgoing traffic btw...virtually nothing coming in on these connections

Im running v5.8.7.11

Anyone know whats up with this?

Thanks in advance,
Last edited by locus101 on Mon Mar 04, 2024 6:59 am, edited 1 time in total.
pootug
Posts: 17
Joined: Thu Sep 10, 2020 8:21 am
Location: South Coast UK

Re: BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by pootug »

You havn't tried to use Alexa with bi by any chance ?
locus101
Posts: 8
Joined: Mon Mar 04, 2024 5:49 am

Re: BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by locus101 »

No...i use the BI android app. Thats the only app that is connects to the BI server. And BI is the only thing running on it.
louyo
Posts: 161
Joined: Sat Apr 18, 2020 1:16 am

Re: BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by louyo »

Well, my real answer, about blueiris.exe, is "I don't know". But here is a SWAG based on my experience with cameras and NVRs:
To access your device from the Internet, like from your phone, the phone normally would connect via your router. The router is, or should be blocking ports. So, the enabled device, like a camera or NVR, has to "poll" a server somewhere to see if anyone is trying to connect. Most of these servers are on AWS and controlled by the company offering "easy access via your smart phone". I have seen this with cameras and NVR's using logs and wireshark.
Not knowing anything about the workings of the Android app, that is just a guess.
I do know that allowing a camera or NVR access via an app on some device will trigger such. In fact, I set a "sort of" honey pot for a cheap camera I bought on line several years ago. It seemed to work OK but had quirks. I allowed it to do a firmware update. I watched the log in the router and saw it connect to a server in Tanzania (sp?). This was on a throwaway Windows VM with no BI type software. I had casually given the camera the same password as the Windows admin account (not on purpose, I am not that smart). In less than half an hour, the server in Tanzania had created 2 users as members of the Administrators group in the Windows system. I am guessing they were looking for a bot.
Since then, I do not let any device connect to the Internet. I use a VPN into the router (I use all static public IP addresses and use separate routers/IP's for devices like BI) and then remote connect. I do that with my phone to use BI's web server. Costs a lot more but I sleep better at night.
Like I said, just a guess. I would look into how the Android app and BI communicate.
locus101
Posts: 8
Joined: Mon Mar 04, 2024 5:49 am

Re: BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by locus101 »

Thanks for responding. But this is too much data going out just for polling. As far as I know, the bi android app connects directly since port forwarding had to be set up to work. Polling wouldn't even be necessary I don't believe.
MikeBwca
Posts: 1097
Joined: Thu Jun 20, 2019 5:39 am

Re: BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by MikeBwca »

Bi (and a lot of other programs & Apps) use AWS & Google services.
locus101
Posts: 8
Joined: Mon Mar 04, 2024 5:49 am

Re: BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by locus101 »

According to BI support, BI shouldnt be sending anything at all to AWS....especially not that much data. Below is a list of IP addresses Ive collected and blocked so far. It seems that when BlueIris.exe starts up it reaches out to one of the 216.239.x.x ips first then tries to establish connections to some of the others. Ive basically been watching TCPview open connections, i grab them, and put them in a block lilst. As one gets blocked, it tries another. This went on for a while yesterday until I thought I had them all blocked. The last one on the list is one that popped up in the last hour.

All destination ports are 443, and application data is TLS encrypted.

44.229.182.9
50.125.92.204
216.239.36.55 *
34.218.137.18
52.39.185.223
216.239.38.57 *
44.227.95.70
44.234.224.198
216.239.38.55 *
54.68.57.122
35.165.74.206
52.34.54.113
216.239.36.57 *
34.213.65.28
44.242.70.68
52.37.100.186
52.37.100.183
34.216.2.19
52.36.215.126
35.167.78.244
User avatar
Pogo
Posts: 389
Joined: Tue Jul 18, 2023 7:21 pm
Location: Reportedly in the Area

Re: BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by Pogo »

locus101 wrote: Mon Mar 04, 2024 3:39 pm ...since port forwarding had to be set up...
Ooops. You may want to look into that.
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by HeneryH »

Looking more closely at your wording...

You are saying that your BI server is making contacts. Does that mean that some unspecified application running on your BI server machine is making contact

or

are you saying that the "BI executable/service" is making the contacts?
locus101
Posts: 8
Joined: Mon Mar 04, 2024 5:49 am

Re: BlueIris.exe constantly sending to Amazon AWS ec2 instances

Post by locus101 »

It is the BlueIris.exe that is opening TCP/443 connections at the IP addresses I listed...I have actually added 1 or 2 more since I posted that less than an hour ago. Its definitely not another app or process on the machine.
Post Reply