[Frage] Inadyn seems accessing strange sites like wg-in-x??.1e100.net

[RomMon]

While sniffing the sixxs interface I found that something on the router was accessing strange addresses via IPv6
By stopping applications I found/suspect it is Inadyn that is sourcing these packages.
A lookup show that the following sites are accessed:
wg-in-x8b.1e100.net
wg-in-x71.1e100.net
wg-in-x64.1e100.net

They probably show up at the IPv6 gateway because IPv6 is probably more prevered than IPv4 on the FritsBox.

The far-end port is always http (80), but the near-end port (my router) is constantly changing, often using pairs of consecutive port numbers.
The near-end port are mostly already IANA assigned port numbers for other applications.

No.     Time                       Source                Destination           Protocol Info
      7 2012-10-11 21:43:17.155080 2001:a:b:c::2   2a00:1450:400c:c00::8b TCP      di-traceware > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7915592 TSER=0 WS=3
      8 2012-10-11 21:43:17.192010 2a00:1450:400c:c00::8b 2001:a:b:c::2   TCP      http > di-traceware [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=3504431525 TSER=7915592 WS=6
      9 2012-10-11 21:43:17.192243 2001:a:b:c::2   2a00:1450:400c:c00::8b TCP      di-traceware > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7915596 TSER=3504431525
     10 2012-10-11 21:43:18.106776 2001:a:b:c::2   2a00:1450:400c:c00::8b TCP      di-traceware > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7915688 TSER=3504431525
     11 2012-10-11 21:43:19.791816 2001:a:b:c::2   2a00:1450:400c:c00::8b TCP      journee > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7915856 TSER=0 WS=3
     12 2012-10-11 21:43:19.828158 2a00:1450:400c:c00::8b 2001:a:b:c::2   TCP      http > journee [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=1258291254 TSER=7915856 WS=6
     13 2012-10-11 21:43:19.828365 2001:a:b:c::2   2a00:1450:400c:c00::8b TCP      journee > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7915860 TSER=1258291254
     14 2012-10-11 21:43:20.807036 2001:a:b:c::2   2a00:1450:400c:c00::8b TCP      journee > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7915958 TSER=1258291254

     23 2012-10-11 21:47:10.687200 2001:a:b:c::2   2a00:1450:400c:c00::71 TCP      4576 > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7938945 TSER=0 WS=3
     24 2012-10-11 21:47:10.723161 2a00:1450:400c:c00::71 2001:a:b:c::2   TCP      http > 4576 [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=4213432269 TSER=7938945 WS=6
     25 2012-10-11 21:47:10.723367 2001:a:b:c::2   2a00:1450:400c:c00::71 TCP      4576 > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7938949 TSER=4213432269
     26 2012-10-11 21:47:11.679832 2001:a:b:c::2   2a00:1450:400c:c00::71 TCP      4576 > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7939045 TSER=4213432269

     39 2012-10-11 21:53:26.973629 2001:a:b:c::2   2a00:1450:400c:c00::64 TCP      tsp > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7976573 TSER=0 WS=3
     40 2012-10-11 21:53:27.010125 2a00:1450:400c:c00::64 2001:a:b:c::2   TCP      http > tsp [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=1285647236 TSER=7976573 WS=6
     41 2012-10-11 21:53:27.010332 2001:a:b:c::2   2a00:1450:400c:c00::64 TCP      tsp > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7976577 TSER=1285647236
     42 2012-10-11 21:53:27.924804 2001:a:b:c::2   2a00:1450:400c:c00::64 TCP      tsp > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7976669 TSER=1285647236
     43 2012-10-11 21:53:29.512238 2001:a:b:c::2   2a00:1450:400c:c00::64 TCP      vaprtm > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=7976827 TSER=0 WS=3
     44 2012-10-11 21:53:29.548810 2a00:1450:400c:c00::64 2001:a:b:c::2   TCP      http > vaprtm [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=1272973116 TSER=7976827 WS=6
     45 2012-10-11 21:53:29.549018 2001:a:b:c::2   2a00:1450:400c:c00::64 TCP      vaprtm > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7976831 TSER=1272973116
     46 2012-10-11 21:53:30.564834 2001:a:b:c::2   2a00:1450:400c:c00::64 TCP      vaprtm > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=7976933 TSER=1272973116

     57 2012-10-11 21:57:37.524683 2001:a:b:c::2   2a00:1450:400c:c00::8b TCP      calltrax > http [SYN] Seq=0 Win=4880 Len=0 MSS=1220 SACK_PERM=1 TSV=8001628 TSER=0 WS=3
     58 2012-10-11 21:57:37.560959 2a00:1450:400c:c00::8b 2001:a:b:c::2   TCP      http > calltrax [SYN, ACK] Seq=0 Ack=1 Win=14040 Len=0 MSS=1416 SACK_PERM=1 TSV=1248690085 TSER=8001628 WS=6
     59 2012-10-11 21:57:37.561170 2001:a:b:c::2   2a00:1450:400c:c00::8b TCP      calltrax > http [ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=8001632 TSER=1248690085
     60 2012-10-11 21:57:38.478161 2001:a:b:c::2   2a00:1450:400c:c00::8b TCP      calltrax > http [RST, ACK] Seq=1 Ack=1 Win=4880 Len=0 TSV=8001724 TSER=1248690085

Some of the ports seen used by my router, but this seems to be randomly selected:

2a00:1450:400c:c00::8b near-end ports used:
3041 and 3042
3675
4091

2a00:1450:400c:c00::71 near-end ports used:
4576
2530 and 2531

2a00:1450:400c:c00::64 near-end ports used:
3653 and 3654

2a00:1450:400c:c00::66 near-end ports used:
4990
3252
3970 and 3971

The TCP packages are small, 72 or 80 bytes.

Is this expected?

 

[olistudent]

Is it really inadyn? By searching for this stringI found articles about googles safe browsing feature...

Regards
Oliver

 

[RomMon]

Hi Oliver,

I see on http://sourceforge.net/projects/inadyn-mt/ a lot of IPv6 features, so maybe it is expected.
So far I only used http://cdn.dyndns.com/inadyn.zip on my other router.

The IP range seems owned by Google: http://ipduh.com/ipv6/whois/?2a00:1450:400c:c00:0:0:0:1b