question

amazon-user01012 avatar image
amazon-user01012 asked ·

Network congestion from 192.168.49.1

Work IT for a software company and am running into an issue where our Amazon devices will randomly bring down our network with the amount of traffic they're generating.

Doing a packet capture I'm seeing the following:

192.168.49.1 > 10.X.X.1 > UDP > Source port 60000, Dest port 6XXXX

The data of the packet includes:

46;Ó.ÀDe.1.J...`..E..Z..@.@.Ý.À¨1..d`mê`ñ..FeyHTTP/1.1 200 OK..USN: uuid:e64220d9-7110-bb94-ffff-ffffb19ffe5c::urn:dial-multiscreen-org:service:dial:1..CACHE-CONTROL: max-age=1800..EXT: ..ST:urn:dial-multiscreen-org:service:dial:1..LOCATION: http://10.100.X.X:60000/upnp/dev/e64220d9-7110-bb94-ffff-ffffb19ffe5c/desc..SERVER: Linux/3.0.31 UPnP/1.0 Cling/2.0....


Last outage there was about 2 million of those packets.

Just wondering what I'm looking at? Wi-fi direct traffic from the remotes? The IP 192.168.49.1 isn't part of any of our networks, however the MAC address shows it's from an Amazon device.

fire tv
2 comments
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi amazon-user01012,

Can you please provide more information about the device? Are you referring to a Fire TV, Fire TV Stick, or Fire Tablet? Which generation is the device?

0 Likes 0 ·

So I did some packet capture on a port that a Fire TV Gen 2 was plugged into and was seeing packet after packet from a 192.168.49.1 address go through. The destination was any IP it could find on our network.

Source port was 60000, UDP, and the data inside it was the same as I originally posted

46;Ó.ÀDe.1.J...`..E..Z..@.@.Ý.À¨1..d`mê`ñ..FeyHTTP/1.1 200 OK..USN: uuid:e64220d9-7110-bb94-ffff-ffffb19ffe5c::urn:dial-multiscreen-org:service:dial:1..CACHE-CONTROL: max-age=1800..EXT: ..ST:urn:dial-multiscreen-org:service:dial:1..LOCATION: http://10.100.X.X:60000/upnp/dev/e64220d9-7110-bb94-ffff-ffffb19ffe5c/desc..SERVER: Linux/3.0.31 UPnP/1.0 Cling/2.0....

whereby the http://10.100.X.X address was the IP address of the Amazon FireTV itself.

Just wondering if this is expected behaviour, and if this has to do with Wi-Fi direct, or UPnP, or some other protocol?

Ideally we wouldn't have this behaviour on a corporate network.

0 Likes 0 ·
Jacek avatar image
Jacek answered ·

Hi amazon-user01012,

Take a look at this doc: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGlhbC1tdWx0aXNjcmVlbi5vcmd8ZGlhbHxneDoxMzU5MzEwYTc2ZGUxZDFi

Especially, page 32/B.2 That packet is a DIAL server response to a DIAL client query (B.1). Bear un mind that the client is responsible for error control, and eventually re-asking that question. So, the interesting part is why we don't see those B.1 queries in your report (although, queries may come on 10.100 network, and AFT gets retarded, and responds on 192.168).

Based on that packet SERVER and LOCATION fields, Amazon should be able to immediately tell whether it originated from their DIAL implementation.

Although, that UPnP implementation is really some lame code (some old open source from a bit dumpster - what may explain fixation on 192.168.41 network). UPnP ratified v 1.1 in about 2008, and what we see there is still pushing the very first spec UPnP 1.0.

From what I see, you provided enough info in your very first message to know what is going on. Although, it could be some lame/rogue app that is installed on that device.

1 comment
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Actually, you could hit that http://10.100.X.X:60000/upnp/dev/e64220d9-7110-bb94-ffff-ffffb19ffe5c/desc (LOCATION field) with any browser that shows XML response. That may provide you with info about who owns that code.

0 Likes 0 ·
LorisAlbanese avatar image
LorisAlbanese answered ·

Hi, same strange thing here.
FireStiv send tons of udp packet from unknown source address. my lan resolve to 192.168.75.0/25 and firetv stick own a .65 address. while playing, packet udp are sent to my server:

Oct 20 18:46:31 net-fw DROP OUT= MAC=************:18:74:2e:63:ff:36:08:00 SRC=192.168.49.1 DST=192.168.75.5 LEN=348 TOS=0x00 PREC=0x00 TTL=64 ID=40533 DF PROTO=UDP SPT=60000 DPT=44607 LEN=328 Oct 20 18:46:45 net-fw DROP OUT= MAC=************:18:74:2e:63:ff:36:08:00 SRC=192.168.49.1 DST=192.168.75.5 LEN=300 TOS=0x00 PREC=0x00 TTL=64 ID=41007 DF PROTO=UDP SPT=60000 DPT=44607 LEN=280 Oct 20 18:46:45 net-fw DROP OUT= MAC=************:18:74:2e:63:ff:36:08:00 SRC=192.168.49.1 DST=192.168.75.5 LEN=309 TOS=0x00 PREC=0x00 TTL=64 ID=41008 DF PROTO=UDP SPT=60000 DPT=44607 LEN=289

,

hi gyus, this strange behavior happen on my network too

Oct 20 18:46:31 nas kernel: [ 156.643781] net-fw DROP OUT= MAC=************:18:74:2e:63:ff:36:08:00 SRC=192.168.49.1 DST=192.168.75.5 LEN=348 TOS=0x00 PREC=0x00 TTL=64 ID=40533 DF PROTO=UDP SPT=60000 DPT=44607 LEN=328 Oct 20 18:46:45 nas kernel: [ 170.124317] net-fw DROP OUT= MAC=************:18:74:2e:63:ff:36:08:00 SRC=192.168.49.1 DST=192.168.75.5 LEN=300 TOS=0x00 PREC=0x00 TTL=64 ID=41007 DF PROTO=UDP SPT=60000 DPT=44607 LEN=280 Oct 20 18:46:45 nas kernel: [ 170.130648] net-fw DROP OUT= MAC=************:18:74:2e:63:ff:36:08:00 SRC=192.168.49.1 DST=192.168.75.5 LEN=309 TOS=0x00 PREC=0x00 TTL=64 ID=41008 DF PROTO=UDP SPT=60000 DPT=44607 LEN=289

1 comment
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

What your firewall trace shows (combined with the original message) is that your .5 server originated the request to AFT using 192.168.75. After that, AFT got retarded, and is replying from a 192.168.49 (that it likes to use for no reason). Since your server is not receiving a reply, it kicks out another request, and the game continues.

So, that may explain why amazon-user01012 only produced the reply, as everything generated on his/her default network is considered a valid packet.

Of course, AFT is in violation, as it establishes that bogus 192.168.49 network for no reason, and is using it to communicate with other UPnP clients. This is the primary bug to fix here (but it may be that once triggered it is pumping those replies as well).

However, AFT is being triggered by DIAL/UPnP clients constantly sending those requests (as for one reason or another those clients never got the proper responses).

0 Likes 0 ·
TFL avatar image
TFL answered ·

I get about 6 of those packets every 2 minutes. This is a bit annoying, there should be an option to disable this. Support was looking into this for me for quite some time, escalating the issue multiple times. In the end, they asked to do "real time debugging" via chat. After doing so, they just suggested to escalate another ticket...

Does anyone know if all Fire TV devices are doing this?

10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.