Mysterious outbound UDP traffic on port 8888… Help!

Mysterious outbound UDP traffic on port 8888… Help!

What is this traffic on port 8888? Or a device is infected and trying to communicate over port 8888 to IP addresses all over the world?!?! I’ve seen forum posts with similar titles a handful of times now and the final result is often someone discovering the Private Internet Access (PIA) client on a device or computer. I get a chuckle every time I see it because I was once in their shoes so I figured I would make a post explaining what is going on. I also hope it saves someone from a future freakout moment!Private Internet Access logo

TL;DR version -> R. E. L. A. X. It’s absolutely worth investigating, but you probably haven’t been breached. Instead, your network likely has some shadow IT in an attempt to get around IT-related restrictions.

Changelog
5July2018 – Originally posted

What is Private Internet Access (PIA)? PIA is a low cost, anonymous VPN provider and quite honestly, it’s awesome. For under $70 dollars/year, you get access to a myriad of locations around the world. For example, you can easily make your traffic appear as though it is coming from California, Israel, Canada, or wherever else they have nodes. I do occasionally use PIA if I *really* need to hop on an untrusted network and I want to protect my traffic while I’m on the road. However, more often than not, I use it for customer security testing from external, “outside” IP addresses. For example, if I just added a restrictive firewall rule that *should* only allow traffic from specific IP addresses. I say should because sometimes firewall vendor configurations are quirky and what you thought was a beautifully configured rule just opened a service to everyone on the planet.

Unfortunately, it appears are some other folks are using the anonymous nature of PIA for evil too. We know this because of how many times PIA IP addresses end up on threat feeds and that’s what most of this post will discuss.

Evil? How Do You Know?

The table below shows an IP on my LAN attempting to communicate with a number of bad guys/IPs on the internet. As you may or may not recognize, my block notifications are coming courtesy of the pfSense-based pfBlockerNG package that I’ve written about many times before. pfBlockerNG shows me that the IP addresses are related to AlienVault threat feeds, Bad IP 7-day threat feeds, etc. Honestly, many of the IPs getting blocked are likely on hundreds of other feeds. Why? Those IPs ended up on threat/reputation feeds because at some point, someone from that IP address tried scanning a honeypot or running a vulnerability against a “protected” system and they got caught. No, they weren’t hauled off to jail in that sense of getting caught. Instead, they scanned a system and said system identified the traffic as malicious. It then shared that new information with others and voila, it became part of a basic threat feed.

pfBlockerNG Bad IPs on port 8888

So a bunch of traffic is getting blocked because I’m trying to communicate with an IP address that was known evil at some point. That’s great because they should! But what about the original question of determining if this was PIA traffic and nothing more? What are the other telltale signs of PIA traffic?

Sign #1: UDP Port 8888

First, all of the traffic is destined for UDP port 8888 as shown in the simple connection information below.

19:54:48.044077 IP <myip>.24333 > 104.156.228.165.8888: UDP, length 1
19:54:48.044125 IP <myip>.4481 > 107.182.231.27.8888: UDP, length 1
19:54:48.044180 IP <myip>.59804 > 172.98.79.199.8888: UDP, length 1
19:54:48.044229 IP <myip>.62132 > 162.251.236.6.8888: UDP, length 1
19:54:48.044282 IP <myip>.13800 > 205.251.148.122.8888: UDP, length 1
19:54:48.044336 IP <myip>.58759 > 89.238.154.241.8888: UDP, length 1
19:54:48.044389 IP <myip>.52178 > 31.24.226.230.8888: UDP, length 1
19:54:48.044433 IP <myip>.43292 > 89.238.139.7.8888: UDP, length 1

Sign #2: Length Matters

If you look again at the simple traffic flow data above and you’re used to perusing network traffic, you might have noticed all of the packets have a length of 1. That’s odd to say the least. In this case, the packets act as a test to see if the external host is accessible. If you were to dive into further analysis of the packet, the hex data is 61, which translates to a lowercase letter ‘a’ and I’ve highlighted both below.

Wireshark packet data from PIA

Sign #3: Countries Contacted

Going back to the block list created by pfBlockerNG, you’ll see the column GeoIP. The 2-letter country code found there is related to the destination IP address. Is it normal for machines to rifle through IP addresses from all over the globe? Probably not!

Country Code Country
IL Israel
IT Italy
IE Ireland
SE Sweden
DE Germany

 

PIA icon

Right-click the PIA client icon next to your clock (red when not connected, green when it is) and you’ll see a large list of locations PIA can connect to. You can browse through the select-able locations and easily find ones that have issues by correlating them with the block list. I’ve highlighted a handful of the locations I found which generated alerts such as Germany and Sweden.

PIA client connection list

Detecting PIA Without pfBlockerNG

When this first happened to me, I saw the alert from pfBlockerNG. What if you don’t have pfBlockerNG at your disposal? Are you doing egress filtering? All commercial firewalls [that are not re-branded consumer-grade junk] allow you to perform egress filtering rather easily. The issue is usually figuring out your traffic and which ports are necessary. Fortunately or unfortunately, for this reason most default firewall configurations start off with an “allow all” instead because a) it’s easier and b) many people have a bear of a time configuring anything otherwise. If you don’t have egress filtering configured and/or you ended up here because someone was doing shadow IT on your network, then you could block 8888 outbound and the PIA “issue” goes away. But wait! Keep in mind there are a thousand (or more) other VPN solutions available and not all of them use port 8888. So while you’re blocking 8888 outbound, you really need to go ahead and block everything else outbound except for what you need. You would be amazed at the number of problems — outbound spam, some malware, some ransomware — egress filtering can proactively prevent or at least detect. Not to mention, your network will thank you!

Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.

4 thoughts on “Mysterious outbound UDP traffic on port 8888… Help!

  1. I have forwarded your post to PIA and asked for comments. This is what they replied:
    Quote
    Thank you for reaching out to us for support.

    This is actually not mysterious traffic. This traffic is being generated by Ruby, and is simply sending a ping to all of PIAs different servers. If you would like to verify this, you can use a terminal window and use the command “tracert xxx.xxx.xxx.xxx” where the “x”‘s are the IP Addresses that you are seeing before the port 8888. You will find that when the tracert completes, the end hostname will be one of several shell companies used by PIA such as logic web, choopa, m247 and there may be a couple of others. This traffic is only used to find the server with the lowest ping times so that when you disconnect from our service, and select “connect automatically”, the server with the lowest ping time will be the one that you are connected to.

    Please let us know if we can further assist you.
    Unquote

    1. Hey Jerome! PIA support is spot on. There’s nothing mysterious or malicious about the traffic. The title and first few sentences are simply the type of reactions I see (or hear) from people when they first find this “type” of traffic on their network. The post really is explaining what this traffic looks like and why it appears evil at first glance in the hopes “it saves someone from a future freakout moment!” As I mentioned, I personally went through this entire step-by-step analysis some time ago and since then I’ve heard others discussing it so I thought it would make an interesting post. Thanks again for stopping by!

  2. Thank you for writing this up. I should have checked first before wiping my macbook on the fear that it is infected.

    Since, installing PIA I started seeing these alerts again on my pfblockerng. That’s when I thought of searching inter webs.

    Oh well, at least now I have clean macbook air.

Leave a Reply

Your email address will not be published.