Strange NTOPNG flows to China

[biob]

Hi

Im running NTOPNG on my home network. In the last day I’ve noticed flows from my iPad to China (IP:49.234.241.239). I have no apps open on the iPad. Any ideas what/why this is happening?

byte size is 546 and is using TLS over TCP and numerous ports.

[digininja]

You don't need to have apps open for them to be running in the background.

If you hit that IP over HTTPS then it gives you the domain name WWW.BOEIOT.NET.CN. Browse to that and it looks like a home automation/IOT company.

[biob]

🤔 Interesting I don’t use home automation.

The AS is Tencent. Bit of reading I found that if based in China iOS uses tencent to check for fraudulent sites and google elsewhere. 
 

When I checked the ip early(e.g browsed to it), I got a warning saying suspected site.... certificate didn’t match.

might try toggling check for fraudulent sites when I get home tonight, see if it changes.

the iPad makes no attempt to resolve the ip either (nothing on purpose hole). 

[digininja]

If you hit a site by IP and the certificate isn't for the IP then you'll get a warning.

View the certificate and get the common name or SAN from it then you can browse to that.

[biob]

Toggled website fraud detection in safari and issue resolved. 
Not sure why it started to think it was based in China 🤔

Hats off to the creators of ntopng... learning so much more about the traffic on my home network. Runs great on a Raspberry pi 4.