2

I was fiddling with my router's uPnP settings and found this:

enter image description here

Why is an external IP address showing here?

I also did a reverse IP search and to my surprise the IP 25.54.27.39 showed "UK Ministry of Defence". I am not in the UK military or on a military base.

Is something malicious going on here? I have already disabled uPnP.

Xander
  • 35,525
  • 27
  • 113
  • 141
Bushara
  • 21
  • 1
  • Where you in a private chat with someone in the UK or the UK military? – schroeder Jun 20 '20 at 08:34
  • No I wasn't in a private Whatsapp chat or call with anyone from UK or UK military, I was on a Whatsapp conference call with some people based out of India – Bushara Jun 20 '20 at 08:38
  • Why will an External IP address show in the first place? Shouldn't it show only the local IP addresses? – Bushara Jun 20 '20 at 08:41
  • The "application Description" column: where does that info come from? – Marcus Müller Jun 20 '20 at 09:18
  • @MarcusMüller it usually populates during whatsapp calls – Bushara Jun 20 '20 at 09:44
  • Ah, so this isn't in your Whatsapp client itself? Then, that field is just a text that the application requesting the port forwarding sent to describe itself. It might, but hasn't got to be, whatsapp. – Marcus Müller Jun 20 '20 at 09:48
  • just to reduce your alarm level here a bit: that is a huge address range, and it quite likely includes things like army universities, potentially including a few eduroam wifis, and might also include residential internet of people living in settlements provided to british servicefolk. And thus, maybe a couple of Tor exit nodes, too. – Marcus Müller Jun 20 '20 at 09:51
  • @MarcusMüller the screenshot is from the router. And the question is why an external IP is showing up in the LAN side of the router – schroeder Jun 20 '20 at 11:09
  • oh. Yeah, that might just be a bug in the display there... Router interfaces are notoriously written by interns and lowest bidders. – Marcus Müller Jun 20 '20 at 11:27
  • WhatsApp uses uPnP to establish VoIP connection with the receiver. That IP Address is the address of the receiver you were talking to on WhatsApp call. – defalt Jun 20 '20 at 19:50
  • @defalt that's the likely answer, but can you provide support for that assertion (and make it an answer?) – schroeder Jun 20 '20 at 20:25
  • @schroeder That was my own experimental analysis when I was answering its duplicate and it is reproducible. Can I answer it without sources? Why exactly this isn't a duplicate of that question? The answer is same. – defalt Jul 04 '20 at 08:08
  • @defalt this still doesn't answer my question, is an external ip address suppose to show in the UPnP panel of the router settings? just to clarify, I am the only user of this wifi and I am damn sure that I wasn't talking to anyone over whatsapp related to UK Ministry of Defence whatsoever. – Bushara Jul 10 '20 at 16:45

1 Answers1

1

When available, WhatsApp uses uPnP for dynamic port forwarding and external IP address discovery to establish peer-to-peer VoIP session. The external IP address you are seeing is the public IP address of someone with whom you are on call via WhatsApp. If it is not you, then someone in your family is making a VoIP. uPnP settings only shows active uPnP connections.

uPnP is the NAT traversal protocol which opens a temporary port for inbound traffic and forwards it to the uPnP client (like WhatsApp and BitTorrent client). NAT by default blocks any inbound traffic to whom you didn't send the request first. A uPnP client makes a request to uPnP listener which is your wifi router to punch a hole in NAT which allows anyone to reach out to the uPnP client. This allows the caller to send you session data without getting blocked by NAT.

Another purpose of uPnP is to let apps using peer-to-peer protocol to discover your external IP address in order to advertise how others can reach out to you without getting blocked by NAT. In VoIP, this advertising is called signalling. Signalling is not a part of uPnP.

Another method that WhatsApp uses for NAT traversal is STUN protocol which achieves the same purpose but that won't show up in your router logs.

You should ask your WhatsApp contact why he/she is using the internet of UK Ministry of Defense. They could be under surveillance.

You can read some more details in this answer: Found an application (Whatsapp) initiating UPnP requests, is it something that I should worry about?

defalt
  • 6,231
  • 2
  • 22
  • 37