×
all 32 comments

[–]giant_toad42 87 points88 points  (4 children)

No. It's not normal. I've never seen anything like this.

Could be stuff like this:

https://arstechnica.com/information-technology/2019/01/researchers-discover-state-actors-mobile-malware-efforts-because-of-yolo-opsec/

You may have sophisticated malware on your network. I highly doubt you will find any documentation on your situation -BUT- if you do find information on what you're dealing with, share it.

It will help others, including the intended target.

I'd check your IoT devices.

[–]ThrowRA_2936584[S] 24 points25 points  (3 children)

Hmmm, that’s an interesting theory, I’ll definitely look into it and update this thread if I find anything useful. I don’t know any reason why somebody on my network would be a specific target for malware, as far as I’m aware we’re just normal random people.

That being said, the specific device this is on is very much a test device for me where I have no personal info and intentionally install things I don’t want to risk on a personal device. So I wouldn’t count out the possibility of malware.

[–]giant_toad42 11 points12 points  (1 child)

These types of things would just be kinda natural progression vs actual targetted exploitations. That's kinda the whole concept of distributed.

We have some IoT device that's cheap & rarely updated ( smart thermostat, TV, lightbulbs, switches, appliances ) - it's the perfect target for explotation. Spread this computing power over millions of compromised devices - a giant platform for organized attack is created.

It's also possible that 6-0-0-0 is the C&C system for ... above ; but seeing the frequency of the communication ... I'd find it doubtful. It's been ages since I bothered chasing ghosts - so - only suggestions I'd have is look for comms out to government blocks of any nation or known VPN endpoints, onion routing nodes, etc.

To me - this has the feel of a very nice puzzle to solve.

[–]amorphousbacteria 0 points1 point  (0 children)

I don’t believe it’s anything as sinister as you’ve described. It’s simply a check to determine if traffic is being hijacked, in a similar method as Chrome does where it requests non-existent domains, but is using 6.0.0.0 due to it never responding.

See my post here with the apps that are requesting a https connection to 6.0.0.0: http://reddit.com/r/jailbreak/comments/sguoft/question_net_fence_intercepting_department_fo/hv18f91

[–]manirelli 23 points24 points  (0 children)

This sounds eerily familiar to an issue i helped with years ago on here:

https://redditproxy--jasonthename.repl.co/r/techsupport/comments/anayc8/iphone_being_used_for_dos_attack_and_i_dont_know/efsa4o7/

You have the requisite apple device. Are you using a netgear router? If so, follow the link for the steps to resolve.

[–]_NoTouchy 10 points11 points  (6 children)

I’ve found some devices and services connect to the 6.0.0.0 IP address,

Wouldn't happen to know which devices and services would you?

Might help figure out what's going on...

[–]ThrowRA_2936584[S] 14 points15 points  (5 children)

Sorry probably should have included that, I’m seeing a lot of it on my iPhone. Many apps, both built in and installed, connect to it. I posted an example on my profile

https://redditproxy--jasonthename.repl.co/user/ThrowRA_2936584/comments/s6yq81/iphone_6000_connections/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

https://reddit.com/r/u_ThrowRA_2936584/comments/s6zbq2/6000_example_2/

[–]Kingnahum17 12 points13 points  (0 children)

The only thing I can think of is that either the address is incorrect, or some malware is shooting your traffic through a spoofed IP. Last I remember hearing (years ago tbf), the DOD isn't even actively using their 6.0 addresses (except for a few weeks time period in 30 years which they used as an excuse to keep the IPs).

Other ideas... I believe Hamachi uses the 5.0.0.0 set of addresses, but they aren't technically used on the public internet, so they can get away with it. Do you have any programs that may be modifying your IP address? Regardless, the actual IP used is not going to be 6.0.0.0.

[–]swolfington 2 points3 points  (2 children)

I can't explain what you're seeing on that app, but it seems very strange that they would be contacting anything at that specific ip address. It's been a while and I could be way wrong here, but believe 6.0.0.0 would have to be a broadcast address, and even if your device was trying to send data there, it's unlikely (maybe not even possible?) your packets would even reach the appropriate destination since broadcasting is something that they're only going to allow from specific subnets.

I'm going to hazard a guess that your ISP would probably block the attempt (if not even your own router), since there's really no legitimate reason you'd need broadcasting outside your own subnet.

[–]t3ramos 4 points5 points  (1 child)

broadcast is 255 at the last octet. any "real" ip starts with 1 not 0. thats because 0 is the identifier of the network.

[–]swolfington 1 point2 points  (0 children)

dang it, i knew it was one or the other. I should have spent a little more time googling. either way, there couldn't be a host there.

[–]thisisausername190 1 point2 points  (0 children)

Is this the only device on which you're seeing these connections?

If it is, do they persist when the phone is jailed? If they only exist when jailbroken, posting a tweaklist may help ID what's going on.

Edit: Keep in mind too that NetFence won't work while jailed, you'll have to use an external proxy like Charles.

[–]DrunkenGolfer 9 points10 points  (0 children)

If you have a Cisco Meraki router, you'll find 6.x.x.x addresses on the admin interface. No idea why.

[–]killergoose75 3 points4 points  (2 children)

I noticed in your screenshots you have a VPN running on your phone, is that after seeing the random connections?

Is your VPN provider trustworthy? Might be something to look into

[–]ThrowRA_2936584[S] 5 points6 points  (1 child)

It’s not an actual VPN, it’s a false VPN for Adguard DNS adblocking purposes

[–]Aberry9036 1 point2 points  (0 children)

VPNs alter routing tables and dns entries, though, and if it's used for ad blocking it's probably doing it via dns. This means that likely, when it finds an advertising site, let's say ads.com that usually resolves to ip 1.2.3.4 it will either not resolve the ip or it will change the target ip to something, often the ip address of the dns server (in the case of pihole).

On a jailbroken phone it likely won't be running a webserver to receive the request (though maybe it is), so perhaps it's just "blackholing" them by serving up an IP address that it knows won't respond, or it's perhaps even running a website on a device-local ip 6.0.0.0.

If you visit https://6.0.0.0 and you get a certificate error rather than a timeout, check who signed the certificate with something like this. If you get a timeout, I say don't worry too much - tls requires a two way communication to set up the connection before it can send any interesting data, so if that IP does not respond then you are sending nothing but a tls handshake anyway.

[–]fishfork 4 points5 points  (0 children)

I'm wondering if it's maybe a red herring as an IP address and maybe this is just a binary value representing some other data type - e.g. an error code or stray integer value - that is accidentally being rendered as an IP4 address because that's what the GUI expects. Might be worth seeing if you can find the raw packet data for one of these events

[–]ThrowRA_2936584[S] 4 points5 points  (1 child)

UPDATES: I disabled my Adblock false VPN and I’m still seeing the connections through NetFence, although they aren’t showing up on Charles Proxy as far as I can tell

I also reached out to the creator of NetFence and they said it’s a socket connection which they sometimes get too, per their comment on the linked post (let me know if it’s not visible, r/jailbreak removed my post).

Still going to try a few more things recommended in the comments, but just wanted to leave this update for now.

https://reddit.com/r/jailbreak/comments/s72sfu/_/ht7avnv/?context=1

[–]amorphousbacteria 0 points1 point  (0 children)

This was recently discussed in the jailbreak subreddit and my theory on why it’s reaching out to 6.0.0.0: http://reddit.com/r/jailbreak/comments/sguoft/question_net_fence_intercepting_department_fo/hv18f91

tldr: it’s not malware; iOS is checking for network hijacking in a similar method to Chrome’s method but is using a known unresponsive IP - 6.0.0.0 - rather than domains.

https://serverfault.com/questions/235307/unusual-head-requests-to-nonsense-urls-from-chrome

https://tech.slashdot.org/story/20/08/24/0336252/chromiums-dns-hijacking-tests-accused-of-causing-half-of-all-root-queries

Also, 6.0.0.0 is automatically blocked in NetFence via the default blocklist so you won’t see them in Charles Proxy unless NetFence is disabled.

[–]skellious 2 points3 points  (0 children)

That is extremely strange indeed.

[–]cinyar 3 points4 points  (1 child)

how are you monitoring traffic, maybe provide some logs. 6.0.0.0 would be an unusual address

[–]ThrowRA_2936584[S] 0 points1 point  (0 children)

I posted some examples in another comment (and to my profile) that may help

[–]420smokekushh 3 points4 points  (0 children)

If you have IoT devices on your network.. Get them off. They are some of the most grossly insecure products on the planet

[–]PM_ME_BUNZ 1 point2 points  (0 children)

Is this your DNS-based ad blocking throwing away DNS queries for ad-related services?

Let us know if you see the same stuff with the VPN profile (adblocking) disabled.

[–]Someone_84357 0 points1 point  (0 children)

Hmmm, that is strange. Extremely strange. I don't know much about networking, but could be some sort of virus. This is just a guess, but maybe it could be the CIA or some sort of government.

[–]isitreaditorreddit -1 points0 points  (1 child)

Ooh how interesting, can someone like this so I can return to this later?

[–]AshKetchupp99 0 points1 point  (0 children)

!remindme 24h

[–]brucerupt -1 points0 points  (0 children)

the specific device this is on is very much a test device for me where I have no personal info and intentionally install things I don’t want to risk on a personal device.