[DoS attack: Smurf] attack packets in last 20 sec from ip

Since de update to Homey 2.5.0 I notice smurf attack packages originating form my homey 192.168.1.160. Is it the firmware or one of the apps?

First apperarance in my routers log is:
[DHCP IP: (192.168.1.120)] to MAC address 0C:B2:B7:5F:24:E7, Wednesday, Jul 31,2019 04:59:47 [Time synchronized with NTP server] Wednesday, Jul 31,2019 04:57:06 [Internet connected] IP address: 77.251.16.46, Wednesday, Jul 31,2019 04:56:59 [Internet disconnected] Wednesday, Jul 31,2019 04:56:57 [DoS attack: Smurf] attack packets in last 20 sec from ip [192.168.1.160], Wednesday, Jul 31,2019 04:55:31 [DHCP IP: (192.168.1.160)] to MAC address 6C:AD:F8:1D:A0:7F, Wednesday, Jul 31,2019 04:53:43 [DHCP IP: (192.168.1.120)] to MAC address 0C:B2:B7:5F:24:E7, Wednesday, Jul 31,2019 04:48:39 [DoS attack: Smurf] attack packets in last 20 sec from ip [91.134.139.255], Wednesday, Jul 31,2019 04:48:25 [DoS attack: Smurf] attack packets in last 20 sec from ip [188.32.211.255], Wednesday, Jul 31,2019 04:21:22

Smurf attacks use ICMP-packets, which Homey apps cannot create, so it won’t be an app. That leaves the firmware, or, possibly, a false positive from your router. Other (external) IP-addresses are also flagged for the same attack.

Correct, but it can’t be coincidence. Homey was update and since the update I notice smurf attacks originating from Homey

In case support is reading: I’ve made a diagnostic report code EE25748397

2.5.0 firmware has new discovery capabilities so could be that its somehow related. 77.251.16.46 is Nederland registered IP, could be used by Athom or this is your public IP. Logs are quite hard to understand like this.

I would put my bet on false positive for smurf…

1 Like

I Think that the discovery should be triggered and not automatically started

That there are Obvious attacks from the outside is “normal”. But, as I stated, this is within my network and all adresses within my network are reserved and dedicated. Within DHCP, when a conflict arises there must be somethingin the log

Discovery is passive (Homey listening to devices broadcasting their presence on the network).

Aha those are DHCPACK logs. Bah, what I wanted to say about the logs is if the logs are not normalized they are hard to read.

Actually I noticed now on the bottom additional two public IPs. Well, maybe there really is something happening. Do you have static or dynamic public IP? If you have dynamic (which most home users do) just restart the router. You will get new public IP from ISP and if this happens again after then something is fishy behind it.

Did that, it’s the routers log about all things happening to, on and from my network. Not just DHCP. And if someone performs a portscan it will be noticed.

Already rebooted homey and my router

DoS attack: Smurf] (6) attack packets in last 20 sec from ip [192.168.1.7], Saturday, Jan 18,2020 23:59:58
[DoS attack: Smurf] (6) attack packets in last 20 sec from ip [192.168.1.7], Saturday, Jan 18,2020 23:44:58
[DoS attack: Smurf] (6) attack packets in last 20 sec from ip [192.168.1.7], Saturday, Jan 18,2020 23:29:58
[DoS attack: Smurf] (6) attack packets in last 20 sec from ip [192.168.1.7], Saturday, Jan 18,2020 23:14:58
[DoS attack: Smurf] (6) attack packets in last 20 sec from ip [192.168.1.7], Saturday, Jan 18,2020 22:59:58
[DoS attack: Smurf] (6) attack packets in last 20 sec from ip [192.168.1.7], Saturday, Jan 18,2020 etc. Etc.

Happens as soon as i am adding or changing light and.or other stuf. Same wifi, same router . Router X.x.1.X coupled to X.x.2.X which talks to outside Word. Nothing fancy.

Same problem overhere:
[DoS attack: Smurf] (6) attack packets in last 20 sec from ip [192.168.1.163], Monday, Jan 27,2020 10:33:32
The IP-address is the address of the Homey.
And NO other networktraffic from or to outside,

Smurf attacks are just ICMP ECHO (ping) requests
https://www.imperva.com/learn/application-security/smurf-attack-ddos/

Isn’t it possible Homey is just pinging a device to see if it’s up?
6 packets in 20sec isn’t very much as ICMP packets are really small.

Yep, I suppose that homey is questioning my netgear router. I have the netgear app iinstalled. So i assume that this app is the origine of the attacks

I get the same Smurf attacks from my Homey address at a fixed interval of 15 minutes
I also use a Netgear router (the Nighthawk).
No problems reported from outside addresses.

Apps:
IKEA TrĂĄdfri
IKEA TrĂĄdfri Gateway
Sonos
Sony Bravia SmartTV app
Virtual Devices

No, the Netgear app is not causing smurf attacks or anything. It does a regular http request to the soap port of the router once a minute or so.

Identical problem started a couple of rounds.
It causes disruptions on the network with traffic interruptions.
By scanning for vulnerabilities with Nessus, a vulnerability is identified precisely on DDoS attacks.
In attach the vulnerability

Which DNS server are you testing?

Homey has a dns server that respond on interface
you can check with nslookup

this is the logs
i see only the packets on external interface but all the traffic coming from homey
[DoS Attack: RST Scan] from source: 163.181.50.231, port 443, Friday, January 15, 2021 12:22:12
[DoS Attack: ACK Scan] from source: 40.103.27.6, port 443, Friday, January 15, 2021 12:13:47
[DoS Attack: ACK Scan] from source: 40.103.49.230, port 443, Friday, January 15, 2021 12:11:00
[DoS Attack: ACK Scan] from source: 52.96.54.162, port 443, Friday, January 15, 2021 11:59:59