Homey Community Forum

[DoS attack: Smurf] attack packets in last 20 sec from ip

Since de update to Homey 2.5.0 I notice smurf attack packages originating form my homey 192.168.1.160. Is it the firmware or one of the apps?

First apperarance in my routers log is:
[DHCP IP: (192.168.1.120)] to MAC address 0C:B2:B7:5F:24:E7, Wednesday, Jul 31,2019 04:59:47 [Time synchronized with NTP server] Wednesday, Jul 31,2019 04:57:06 [Internet connected] IP address: 77.251.16.46, Wednesday, Jul 31,2019 04:56:59 [Internet disconnected] Wednesday, Jul 31,2019 04:56:57 [DoS attack: Smurf] attack packets in last 20 sec from ip [192.168.1.160], Wednesday, Jul 31,2019 04:55:31 [DHCP IP: (192.168.1.160)] to MAC address 6C:AD:F8:1D:A0:7F, Wednesday, Jul 31,2019 04:53:43 [DHCP IP: (192.168.1.120)] to MAC address 0C:B2:B7:5F:24:E7, Wednesday, Jul 31,2019 04:48:39 [DoS attack: Smurf] attack packets in last 20 sec from ip [91.134.139.255], Wednesday, Jul 31,2019 04:48:25 [DoS attack: Smurf] attack packets in last 20 sec from ip [188.32.211.255], Wednesday, Jul 31,2019 04:21:22

Smurf attacks use ICMP-packets, which Homey apps cannot create, so it won’t be an app. That leaves the firmware, or, possibly, a false positive from your router. Other (external) IP-addresses are also flagged for the same attack.

Correct, but it can’t be coincidence. Homey was update and since the update I notice smurf attacks originating from Homey

In case support is reading: I’ve made a diagnostic report code EE25748397

2.5.0 firmware has new discovery capabilities so could be that its somehow related. 77.251.16.46 is Nederland registered IP, could be used by Athom or this is your public IP. Logs are quite hard to understand like this.

I would put my bet on false positive for smurf…

1 Like

I Think that the discovery should be triggered and not automatically started

That there are Obvious attacks from the outside is “normal”. But, as I stated, this is within my network and all adresses within my network are reserved and dedicated. Within DHCP, when a conflict arises there must be somethingin the log

Discovery is passive (Homey listening to devices broadcasting their presence on the network).

Aha those are DHCPACK logs. Bah, what I wanted to say about the logs is if the logs are not normalized they are hard to read.

Actually I noticed now on the bottom additional two public IPs. Well, maybe there really is something happening. Do you have static or dynamic public IP? If you have dynamic (which most home users do) just restart the router. You will get new public IP from ISP and if this happens again after then something is fishy behind it.

Did that, it’s the routers log about all things happening to, on and from my network. Not just DHCP. And if someone performs a portscan it will be noticed.

Already rebooted homey and my router