I have a single linux machine that reaches out to newyork.mordor.rfc2549 dot net, it's running Parrot Security. It just starting doing this a little while ago, but not entirely certain when this started. Anyone else seeing this and know what is going on?
If it is useful, I'll want to unblock it, if it is malicious, I'll want to fix the problem. Happening when all users are logged out and generally around midnight local time.
I will add that this is running on hardware I don't specifically trust, which is why it doesn't run the Windows OS that it came with. It's a little AWOW mini PC from Amazon and I've never truly trusted it which is why it has Linux on it with the new drive.
{"id":"transport_proto","name":"Protocol","value":"TCP","type":""},{"id":"policyid","name":"Policy","value":"0","type":""},{"id":"cloud_policyid","name":"Cloud Policy","value":"null","type":""},{"id":"cloud_ruleid","name":"ZTNA Rule","value":"","type":""},{"id":"cloud_networkid","name":"Secure Network","value":"","type":""},{"id":"interface","name":"Interface","value":"igb3","type":""},{"id":"vlanid","name":"VLAN","value":"0","type":""},{"id":"conn_uuid","name":"Connection UUID","value":"72314b51-d388-46a3-b3bf-eb8bca71e342","type":""},{"id":"direction","name":"direction","value":"out","type":""},{"id":"src_hwaddr","name":"Source Hardware Address","value":"38f7cdc21a48","type":""},{"id":"src_username","name":"Source username","value":"","type":""},{"id":"ip_src_saddr","name":"Source IP","value":"172.17.2.99","type":""},{"id":"ip_src_port","name":"Source port","value":48478,"type":""},{"id":"src_hostname","name":"Source hostname","value":"172.17.2.99","type":""},{"id":"src_dir","name":"Source direction","value":"EGRESS","type":""},{"id":"dst_hwaddr","name":"Destination Hardware Address","value":"98b7851ea609","type":""},{"id":"dst_username","name":"Destination username","value":"","type":""},{"id":"ip_dst_saddr","name":"Destination IP","value":"23.92.23.177","type":""},{"id":"ip_dst_port","name":"Destination port","value":443,"type":""},{"id":"dst_hostname","name":"Destination hostname","value":"newyork.mordor.rfc2549.network","type":""},{"id":"dst_dir","name":"Destination direction","value":"INGRESS","type":""},{"id":"is_blocked","name":"Block status","value":1,"type":""},{"id":"is_overlay","name":"is_overlay","value":0,"type":""},{"id":"is_local","name":"Local","value":0,"type":""},{"id":"input","name":"Input","value":15,"type":""},{"id":"output","name":"Output","value":15,"type":""},{"id":"src_npackets","name":"Packets Outbound","value":1,"type":""},{"id":"src_nbytes","name":"Bytes Outbound","value":66,"type":""},{"id":"src_pbytes","name":"Source bytes","value":0,"type":""},{"id":"dst_npackets","name":"Packets Inbound","value":0,"type":""},{"id":"dst_nbytes","name":"Bytes Inbound","value":0,"type":""},{"id":"dst_pbytes","name":"Destination bytes","value":0,"type":""},{"id":"src_tcp_flags","name":"Source TCP Flags","value":"","type":""},{"id":"dst_tcp_flags","name":"Destination TCP Flag","value":"A","type":""},{"id":"start_time","name":"Start time","value":"Aug 18, 2025 12:15 AM","type":"timestamp"},{"id":"end_time","name":"End time","value":"Aug 18, 2025 12:25 AM","type":"timestamp"},{"id":"encryption","name":"Encryption","value":"Clear","type":""},{"id":"app_id","name":"Application Id","value":2,"type":""},{"id":"app_proto","name":"Application protocol","value":"Generic TCP","type":""},{"id":"app_name","name":"Application","value":"Generic TCP","type":""},{"id":"app_category","name":"Application category","value":"Generic TCPIP","type":""},{"id":"tags","name":"Tags","value":"[\"Empty Sites\",\"Potentially Dangerous\",\"IP Queried\"]","type":"array"},{"id":"security_tags","name":"Security category","value":"[\"Potentially Dangerous\"]","type":"array"},{"id":"web_actions","name":"Web Actions","value":"[]","type":"array"},{"id":"web_actions_description","name":"web_actions_description","value":"[]","type":""},{"id":"src_geoip","name":"Source Geo IP","value":"{\"timezone\":\"\",\"continent_code\":\"\",\"city_name\":\"\",\"country_name\":\"\",\"country_code2\":\"\",\"country_code3\":\"\",\"dma_code\":\"0\",\"region_name\":\"\",\"region_code\":\"\",\"postal_code\":\"\",\"area\":\"0\",\"metro\":\"0\",\"asn\":\"0\",\"latitude\":0,\"longitude\":0,\"location\":{\"lat\":0,\"lon\":0}}","type":"object"},{"id":"dst_geoip","name":"Destination Geo IP","value":"{\"timezone\":\"\",\"continent_code\":\"\",\"city_name\":\"Hanover (Cedar Knolls)\",\"country_name\":\"United States\",\"country_code2\":\"US\",\"country_code3\":\"\",\"dma_code\":\"0\",\"region_name\":\"\",\"region_code\":\"\",\"postal_code\":\"\",\"area\":\"0\",\"metro\":\"0\",\"asn\":\"0\",\"latitude\":40.821800231933594,\"longitude\":-74.44999694824219,\"location\":{\"lat\":40.821800231933594,\"lon\":-74.44999694824219}}","type":"object"},{"id":"device","name":"Device","value":"{\"id\":\"38f7cdc21a48\",\"name\":\"Device (38f7cdc21a48)\",\"category\":\"other\",\"vendor\":\"other\",\"os\":\"other\",\"osver\":\"\"}","type":"object"},{"id":"remote_device","name":"Remote Device","value":"","type":""},{"id":"community_id","name":"Community ID","value":"1:L+qQEZnEHmHeXx5CDu1yhIr9vx8=","type":""},{"id":"handshake_result","name":"TLS Handshake Status","value":"None","type":""},{"id":"_id","name":"_id","value":"AZi7bQer0L1ylm9tG0an","type":""},{"id":"policy_name","name":"policy_name","value":"Default","type":""},{"id":"rule_name","name":"rule_name","value":"Deleted ()","type":""}
The domain name is really funny, becaus it references RFC2549, which is this: https://de.wikipedia.org/wiki/Internet_Protocol_over_Avian_Carriers
This IPs are in the Akamai cloud and might change any day, so you probably could only block the DNS name if need be.
However, as it seems, it is being used by Parrot OS: https://awesome-privacy.xyz/operating-systems/desktop-operating-systems/parrot, so it seems legit.
That's kind of what I thought based on some searching.
I'll unblock it and see what happens, so far nothing has broken with it being blocked.
With it unblocked, I get an empty page, which they aren't supposed to do. Same for the root rfc2549 dot network.
I had similar experience not with Parrot but with Arch. For some funny reasons ZA is totally unaware of the concept of mirrors and reflectors for Arch (and most likely other Linux Distros).
I did lot of manual whitelisting and reporting of such repositories to ZA directly. This is bit sad as lists of Linux Distros mirrors are publicly available one would thought ZA is already including them.
Regards,
S.