What is this traffic on port 8888? Or a device is infected and trying to communicate over port 8888 to IP addresses all over the world?!?! I’ve seen forum posts with similar titles a handful of times now and the final result is often someone discovering the Private Internet Access (PIA) client on a device or computer. I get a chuckle every time I see it because I was once in their shoes so I figured I would make a post explaining what is going on. I also hope it saves someone from a future freakout moment!
TL;DR version -> R. E. L. A. X. It’s absolutely worth investigating, but you probably haven’t been breached. Instead, your network likely has some shadow IT in an attempt to get around IT-related restrictions.
5July2018 – Originally posted
What is Private Internet Access (PIA)? PIA is a low cost, anonymous VPN provider and quite honestly, it’s awesome. For under $70 dollars/year, you get access to a myriad of locations around the world. For example, you can easily make your traffic appear as though it is coming from California, Israel, Canada, or wherever else they have nodes. I do occasionally use PIA if I *really* need to hop on an untrusted network and I want to protect my traffic while I’m on the road. However, more often than not, I use it for customer security testing from external, “outside” IP addresses. For example, if I just added a restrictive firewall rule that *should* only allow traffic from specific IP addresses. I say should because sometimes firewall vendor configurations are quirky and what you thought was a beautifully configured rule just opened a service to everyone on the planet.
Unfortunately, it appears are some other folks are using the anonymous nature of PIA for evil too. We know this because of how many times PIA IP addresses end up on threat feeds and that’s what most of this post will discuss.
Evil? How Do You Know?
The table below shows an IP on my LAN attempting to communicate with a number of bad guys/IPs on the internet. As you may or may not recognize, my block notifications are coming courtesy of the pfSense-based pfBlockerNG package that I’ve written about many times before. pfBlockerNG shows me that the IP addresses are related to AlienVault threat feeds, Bad IP 7-day threat feeds, etc. Honestly, many of the IPs getting blocked are likely on hundreds of other feeds. Why? Those IPs ended up on threat/reputation feeds because at some point, someone from that IP address tried scanning a honeypot or running a vulnerability against a “protected” system and they got caught. No, they weren’t hauled off to jail in that sense of getting caught. Instead, they scanned a system and said system identified the traffic as malicious. It then shared that new information with others and voila, it became part of a basic threat feed.
So a bunch of traffic is getting blocked because I’m trying to communicate with an IP address that was known evil at some point. That’s great because they should! But what about the original question of determining if this was PIA traffic and nothing more? What are the other telltale signs of PIA traffic?
Sign #1: UDP Port 8888
First, all of the traffic is destined for UDP port 8888 as shown in the simple connection information below.
19:54:48.044077 IP <myip>.24333 > 220.127.116.11.8888: UDP, length 1 19:54:48.044125 IP <myip>.4481 > 18.104.22.168.8888: UDP, length 1 19:54:48.044180 IP <myip>.59804 > 22.214.171.124.8888: UDP, length 1 19:54:48.044229 IP <myip>.62132 > 126.96.36.199.8888: UDP, length 1 19:54:48.044282 IP <myip>.13800 > 188.8.131.52.8888: UDP, length 1 19:54:48.044336 IP <myip>.58759 > 184.108.40.206.8888: UDP, length 1 19:54:48.044389 IP <myip>.52178 > 220.127.116.11.8888: UDP, length 1 19:54:48.044433 IP <myip>.43292 > 18.104.22.168.8888: UDP, length 1
Sign #2: Length Matters
If you look again at the simple traffic flow data above and you’re used to perusing network traffic, you might have noticed all of the packets have a length of 1. That’s odd to say the least. In this case, the packets act as a test to see if the external host is accessible. If you were to dive into further analysis of the packet, the hex data is 61, which translates to a lowercase letter ‘a’ and I’ve highlighted both below.
Sign #3: Countries Contacted
Going back to the block list created by pfBlockerNG, you’ll see the column GeoIP. The 2-letter country code found there is related to the destination IP address. Is it normal for machines to rifle through IP addresses from all over the globe? Probably not!
Right-click the PIA client icon next to your clock (red when not connected, green when it is) and you’ll see a large list of locations PIA can connect to. You can browse through the select-able locations and easily find ones that have issues by correlating them with the block list. I’ve highlighted a handful of the locations I found which generated alerts such as Germany and Sweden.
Detecting PIA Without pfBlockerNG
When this first happened to me, I saw the alert from pfBlockerNG. What if you don’t have pfBlockerNG at your disposal? Are you doing egress filtering? All commercial firewalls [that are not re-branded consumer-grade junk] allow you to perform egress filtering rather easily. The issue is usually figuring out your traffic and which ports are necessary. Fortunately or unfortunately, for this reason most default firewall configurations start off with an “allow all” instead because a) it’s easier and b) many people have a bear of a time configuring anything otherwise. If you don’t have egress filtering configured and/or you ended up here because someone was doing shadow IT on your network, then you could block 8888 outbound and the PIA “issue” goes away. But wait! Keep in mind there are a thousand (or more) other VPN solutions available and not all of them use port 8888. So while you’re blocking 8888 outbound, you really need to go ahead and block everything else outbound except for what you need. You would be amazed at the number of problems — outbound spam, some malware, some ransomware — egress filtering can proactively prevent or at least detect. Not to mention, your network will thank you!
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.