I keep getting alerts from snort running in PFsense that my smartthings hub is communicating with known TOR (the onion router) relay routers. Is this normal or is my hub compromised? Check out the alerts below 192.168.1.101 is my hub. The other IPs are the TOR relay routers. The both of the SRC IPs are in Germany. Why in the world is my US based Hub communicating with a host in Germany?
06/14/15
12:25:04 2 UDP Misc Attack SRC IP 144.76.96.7 DEST IP 192.168.1.101
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 167
06/14/15
14:24:57 2 UDP Misc Attack SRC IP 109.239.48.152 DEST IP 192.168.1.101
ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 136
That’s reporting UDP packets coming IN from the Internet.
Are you actually seeing any outbound packets from the hub
addressed to those nodes?
What rule on your router / firewall is allowing this traffic to pass
through to your network? It must be getting NATed to the
192.168.1.101 address, as this is a non-routable address on the
Internet. So, can you see an outbound connection being established
to allow the inbound traffic through?
I wouldn’t be pointing fingers at the hub just yet - I’d want to see outbound traffic from the hub first.
Meanwhile, if I can’t see outbound traffic, I’d be trying to find out why my router / firewall is NATing that traffic to the hub’s address.
I don’t have any ports open on my network except for one that is mapped to my blue iris web cam software. I think the only way that this UDP packet would make it to my hub is if my hub initiated the connection (although UDP is connection-less?). I am running PFSENSE as my router/IDS/firewall. I don’t have UPNP turned on either. I have started a packet capture on the LAN side of my router to take a closer look at the traffic to see if the hub is sending any outbound packets to these IPs. If the hub isn’t initiating the traffic to then I guess something is really messed up with my PFsense setup because it appears to be NATing the packets to the hub?
It is interesting that all of the Snort alerts are coming from known TOR relay routers in Germany. Germany and the UK are the only 2 countries in Europe that I don’t have IPs blocked using PFblockerNG. I guess I will have to have Germany added to PFblockerNG after I finish my packet capture and investigation.
Looks like a packet capture helped me figure it out. The hub is sending NTP packets to NTP severs in multiple countries. Apparently these same IPs that are being used as NTP servers have also been used as TOR relay routers. I don’t think I really want my hub using NTP servers in Germany. I guess I will block IPs from Germany using PFblockerNG. Thanks for you help Chuckles!