IP in South Korea

A fresh install of Zerotier, not connected to any network yet, shows a connection to the IP 14.52.0.81, supposedly in South Korea. The same topic with the exact IP was mentioned before here, but it seems like the question if the ip should be cause for concern has not been answered. The IP mentioned can’t be a node, as my install of Zerotier is not connected to any zt network yet. Would anyone be able to identify the IP?

Can you show your packet capture & how you determined it was the zerotier-one process that connected to this IP?

The zerotier-one process connected to this IP according to Little Snitch Mini. Little Snitch Mini claims Zerotier is sending 447 bytes approximately every 4 minutes to the IP in question. Using Wireshark, I can’t seem to capture any packets that connect to the IP on interface en0 (the only network connection). That seems confusing to me, although I might lack a lot of knowledge required to determine if this is out of the ordinary,.

Similar story with 161.247.0.25: shows up in Little Snitch every 4 mins with 447 bytes (and every 8 minutes with 894 bytes), can’t capture anything to or from the IP in Wireshark on en0.

I’m gonna go out on a limb here and say I think LittleSnitch is probably doing something funky and reporting things wrong. Maybe it’s packet parser is a bit busted and it’s parsing IP addresses wrong. It also shows zerotier-one in its process list twice for some reason. There’s only one running.

It’s showing some completely invalid IP addresses for the first process in the list:

  • 0.0.153.147
  • 0.0.0.2
  • 0.0.0.1
  • 0.20.62.115
  • 0.0.224.12
  • 0.187.4.93

So given, that Wireshark isn’t reporting any packets to the IPs you’ve reported, and LittleSnitch reporting all sorts of invalid IPs, I’m going to trust Wireshark a heck of a lot more than LittleSnitch here and go with LittleSnitch showing some garbage data