Denial of service attack

Mmohab · August 19, 2022, 12:49am

Hi all, I started receiving warnings from my router blocking a denial of service attack on home assistant.
Any advice ?

BebeMischa · August 19, 2022, 12:52am

tom_l · August 19, 2022, 1:05am

I assume you are using DuckDNS which requires port forwarding?

It is a relatively easy procedure for bad actors to scan for commonly open ports on your router.

Nabu Casa does not require open ports and would prevent this occurring but it is not free.

Alternatively you might like change the port you are forwarding from externally to a much higher number, like above 65000. This will not guarantee your open port will not be found but it makes it less likely if the scans are being done from a list of commonly open ports to speed up detection.

Mmohab · August 19, 2022, 5:01am

I am not using any port forwarding with home assistant. Just for the record I am using it for blue iris on a PC. Can that be the reason? Excuse my ignorance in networking

tom_l · August 19, 2022, 5:15am

Impossible to say with the limited information you have provided.

Mmohab · August 19, 2022, 6:32am

This is what I am getting

tom_l · August 19, 2022, 7:07am

You still have not told us anything about your network, or how you are accessing Home Assistant externally.

The address belongs to a data centre in Montreal and has never had an abuse report made against it:

https://www.abuseipdb.com/check/158.69.27.227

Mmohab · August 19, 2022, 4:41pm

Thanks for spending time reviewing the case. I am not accessing home assistant externally, no port forwarding related to home assistant. the only port forwarding defined in the router is for blue iris

K-n-C · August 19, 2022, 8:05pm

@Mmohab so you have a netgear router and you have enabled some kind of third party IPS that comes with the router. Do you know what it is doing, or did you just turn it on because it was there? Do you know what a false positive is?

What do the logs on the Netgear say about the destination of the traffic from 158.69.27.227? That should tell you the port that is being supposedly attacked, and you can determine whether it is your blue iris box or… However, It could be possible that some one just fat fingered an IP while doing a ping flood and your IPS is confused?

Mmohab · August 19, 2022, 10:08pm

I am getting the point now, it suddenly stopped after attempting almost every 10 minutes for a whole 12 hours, may be they are bored now .

Thanks for the help and have a wonderful weekend.