Continuous outbound connection from QNAP NAS

Question

I notice on my firewall that my QNAP NAS is continuously sending UDP sessions out to the Internet. Every second I have 5 - 7 connections out to addresses like the following:

2013-11-10 23:17:54 Deny 192.168.60.5 93.215.212.162 6881/udp 6881 6881  
2013-11-10 23:18:05 Deny 192.168.60.5 87.76.0.83 29872/udp 6881 29872  
2013-11-10 23:18:05 Deny 192.168.60.5 5.164.188.224 6881/udp 6881 6881  
2013-11-10 23:18:05 Deny 192.168.60.5 80.61.45.206 6881/udp 6881 6881  
2013-11-10 23:18:34 Deny 192.168.60.5 37.117.204.129 6881/udp 6881 6881  
2013-11-10 23:18:34 Deny 192.168.60.5 71.67.101.30 51413/udp 6881 51413  
2013-11-10 23:18:34 Deny 192.168.60.5 89.28.92.191 8621/udp 6881 8621  
2013-11-10 23:18:34 Deny 192.168.60.5 94.244.157.85 28221/udp 6881 28221  
2013-11-10 23:18:34 Deny 192.168.60.5 213.241.61.240 9089/udp 6881 9089  
2013-11-10 23:18:45 Deny 192.168.60.5 88.163.28.100 52721/udp 6881 52721  
2013-11-10 23:18:45 Deny 192.168.60.5 37.55.190.20 10027/udp 6881 10027  
2013-11-10 23:18:45 Deny 192.168.60.5 62.72.188.146 14306/udp 6881 14306  
2013-11-10 23:19:14 Deny 192.168.60.5 85.53.244.205 51413/udp 6881 51413  
2013-11-10 23:19:14 Deny 192.168.60.5 67.163.18.215 52130/udp 6881 52130  
2013-11-10 23:19:14 Deny 192.168.60.5 86.172.105.140 9089/udp 6881 9089  
2013-11-10 23:19:14 Deny 192.168.60.5 99.28.56.121 52383/udp 6881 52383  
2013-11-10 23:19:14 Deny 192.168.60.5 109.60.184.249 46217/udp 6881 46217  
2013-11-10 23:19:25 Deny 192.168.60.5 121.107.144.174 21135/udp 6881 21135  
2013-11-10 23:19:25 Deny 192.168.60.5 84.39.116.180 48446/udp 6881 48446  
2013-11-10 23:19:25 Deny 192.168.60.5 183.238.254.62 openvpn/udp 6881 1194

This is frightening as it seems like it's been hacked to send information out. Has anyone observed this behaviour from their QNAP NAS?

@DennisKaarsemaker I have updated the question with a more details from my firewall. Think the last column is the target port. — user192702, Nov 10 '13 at 15:23
It appears that this may be related to a component/feature called Download Station on the QNAP? Is that component/feature enabled? If so, you probably want to disable it. — joeqwerty, Nov 10 '13 at 17:53
@joeqwerty Thanks. I have disabled it. Surprisingly even before I have disabled the Download Station, I see a drop in these traffic compared to yesterday. — user192702, Nov 12 '13 at 16:37

score 5 · Accepted Answer · answered Nov 10 '13 at 17:53

5

That's bittorrent traffic. More specifically, it's traffic caused by the distributed hash table (DHT) protocol. There's even a thread about it on the QNAP forums

answered Nov 10 '13 at 17:53

Dennis Kaarsemaker

18,793
2
43
69

Thanks. Interesting protocol. This must have generated orders of magnitude more traffic on the Internet. – user192702 Nov 12 '13 at 16:39

Continuous outbound connection from QNAP NAS

1 Answers1