I upgraded to ZimaOS 1.2.3 and now my IDS is seeing and blocking outgoing bittorrent DHT ping requests to various sites in Russia, US, Japan, and other countries. Obviously, some countries are more of a concern than others. Does anyone know what this is?
Date/Time
Sep 05, 2024 at 3:16:09 PM
Device: imaCube
Counterpart. 95.26.70.110
Counterpart Location: Yekaterinburg, Russia
Direction: Outgoing
Detection Category: P2P
Signature: ET P2P BitTorrent DHT ping request
Traffic Information
Source IP: 192.168.1.68:51413
Destination IP: 95.26.70.110:2044
I’m running ZimaOS right out of the box. I didn’t install any apps. So it appears that something inside of ZimaOS is running a bittorrent server. Not thrilled about this at all.
According to at least 1 forum, a PIA (private internet access) vpn can cause something like this. So it’s likely that zerotier is the culprit and the request is mislabeled/mis-categorized.
But I’m not using a PIA or VPN for internet access. This definitely started when I upgraded ZimaOS to 1.2.3. It’s unlikely there is any other cause. I don’t think any operating system (looking at you Windows) should send telemetry without permission, and definitely shouldn’t send it to multiple sources in various countries. Even it it’s just mapping links to bittorrent servers, it should be documented and there should be an option to disable it.
I’d like to give ZimaOS one more shot (Cube has been powered off since I discovered this). Can anyone tell me how to disable this outgoing bittorrent activity?
In my impression, if there is no App installed, there should be no BT connection.
But I’m also skeptical that ZeroTier would send a request to RU.
Maybe we can identify or rule out the ZeroTier issue first.
From the command line in ZimaCube (open SSH over a monitor connection or download ttydBridge from the AppStore)
Run zerotier-cli info -j. You’ll be able to see all the surfaceAddresses used by ZeroTier.
Run zerotier-cli peers or zerotier-cli peers -j and you will see all peers connections and each other’s IP.
All PLANET peers are for discovering other peers, which is nothing to worry about. All LEAF is a member of the network you are connected to, so no worries there either.
I wound up stripping ZimaOS from my Cube Pro and installing TruNAS Scale. I just didn’t feel I could trust ZimaOS with my data with what appeared to be unanticipated connections to non-local servers. It’s too bad, I liked the concepts they implemented, but TrueNAS Scale is also very good.
Sorry to hear that. Though wondering what exactly was the traffic on the system that gave you the distrust.
TrueNAS is great. It’s good that it meets your tastes.
The unanticipated BT traffic is really weird.
But maybe we should get a chance to re-examine what network traffic all the services in ZimaOS are using anyway. And consider how to add transparency and control for users.
CC @orca-zhang@LinkLeong@ETWang1991@E-T
From the current situation, I think the reason why this traffic is judged as BT DHT Ping is because the source IP port is 51413, which is consistent with the default port of Transmission.
ZeroTier has this possibility of being randomly assigned to this port, but ZeroTier’s does not have a Russian PLANET server. So I’m also skeptical that this is a ZeroTier traffic possibility.
But we also tested on a fresh install of ZimaOS as well, and still no unusual traffic was found.
If anyone has a clue as to exactly which process is using the non-normal port, sending suspicious traffic. Feel free to report it to @LinkLeong . We’ll find out more.