Hikvision Cameras Creating Ton Of Traffic On Port 53 UDP - Why?

Have you looked under the ports tab to verify which three ports are set? 

Can you get a wireshark cap of the connections? Also, what is the firmware and model of the cameras, and approximate time the floods started?

That's an odd one. Some things to maybe help narrow it down.

First question: when you say a "ton" of traffic, how much is that? I just packet captured a camera for a minute and saw almost nothing (I wasn't viewing it) and nothing on port 53 at all.

Second question: Is Hik-Connect turned on? If yes, try turning it off to see if it stops. Then turn it back on.

Third question: What camera(s) and firmware versions? We'd try to recreate if possible.

The net/net is that there should not be large amounts of traffic on 53. That seems suspicious.

Btw, port 53 is DNS.

You should use a port mirror to capture and analyze the traffic. If you post a screenshot of the packets here, maybe we can give you more hints. 

You could try to reboot the camera in case the camera is infected by a non persistent malware. Make sure to install the latest firmware and use complex credentials. 

The majority of the cameras are DS-2CD2342WD-I running firmware V5.3.3 build 150630. I see 5.5.0 is out, we will try updating the firmware on all of the cameras today and see if the packet count drops. Hik-connect is turned off. 

We are seeing around 62,000 packets a day from each camera. It's almost like if it can't resolve DNS it continues to try. What function on the cameras would require them to make DNS requests?

Thanks 

Interesting finding, We went through the process of updating the cameras to the newest firmware. When we logged back in Hik-Connect was enabled on these devices even though it was not before the firmware update. Looking at the traffic on the devices who had not had their firmware updated the traffic looks the same. 

So we ca only assume that Hik-Connect was enabled even though it wasn't checked on the cameras and they have all had multiple reboots since installation. We will continue to watch the logs and see if this calms the traffic. 

I Wiresharked a camera on our network and found a couple things:

1. With Hik-Connect off, no port 53 traffic at all. Not when booting up. Not when changing settings. Never.

2. With Hik-Connect on, it sends a couple of requests when enabled, then nothing.

3. With Hik-Connect on and alarm notifications enabled, it sends a packet every time there's a motion event. You can see them in this trace below. .66 is the camera and 8.8.8.8 is Google DNS (its configured DNS server).

With this enabled, plus a bad motion setup (a lot of false alerts, like from high digital noise or moving foliage), you could easily be getting a packet every second or two. 

But I find it slightly odd that Hik-Connect was enabled after upgrade. 5.5 doesn't even turn it on by default. That makes me think something was odd and it was enabled but not showing as enabled in the old configuration. 

At any rate, curious to see if the traffic cuts down now.