Ping of death attacks?

Not sure where to report this, or whether this is a problem at all. When browsing the log of my router, I found these warnings, ocurring 23 times in the past three weeks, mostly around 1:19 AM or PM.
kernel: [18980657.626468] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.250.179.170 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=455 DF PROTO=ICMP TYPE=8 CODE=0 ID=33284 SEQ=256 ZEXTMARK=0x8

The IP address at SRC= (source??) is the local IP of my HA instance, a virtual machine. The DST (destination?) is different on most occasions but an online IP lookup tool tells me this particular one is a server in Amsterdam or Sofia (I am located in The Netherlands but not Amsterdam).

Is my HA instance somehow sending out attacks? Am I misunderstood and is my HA instance the target of an attack? Is my router hallucinating? I have no idea. Anyone who does? I checked the HA logs, nothing in there around the time of this warning. There’s exactly one similar message in the log where the SRC= is a different device, which is my son’s Nintendo Switch.

That is strange, first guess is that the Linux kernel is identifying that a packet that is to large was sent out and is reporting that.

Do you have a Nabu Casa subscription?
What are the add-ons you have installed?
What are the HACS you have installed?
Do you have any custom scripts running?
Can you use a site like ping.eu to check who the IP addresses belong to?

yes

What are the add-ons you have installed?

And I actually just uninstalled some add-ons I am no longer using. Google custom backup addon, Mosquitto, those were there when these messages occurred. I checked all the addon logs but found no activity at the specific times.

What are the HACS you have installed?

Mostly frontend things, themes, Apex Charts, some custom cards. Remeha Home is the only one I expect to cause traffic

Do you have any custom scripts running?

Yes some automation stuff but nothing that sends pings to the outside world. I ping my own phone’s local IP address and my router on the local network with the ping integration every 5 minutes.

Can you use a site like ping.eu to check who the IP addresses belong to?

DNSchecker.org says Google.

If you don’t (or your devices have any reasons for using Ipv6, you could disable this in your Router) having HA (ipv6 enabled by default) is one thing, but having it enabled in your Router is another ( Basically no reasons for this to be enabled in your Router, unless you have several Devices/Services depending upon this )
If anything, you could try to disabled IPv6 in your Router as a “trouble-shooting-purpose”
As many old device can’t handle this correctly, it might cause malformed ipv6 packets

Wouldn’t the logs give IPv6 entries instead of ipv4 ones then? Still worth turning it off if it isn’t used.

Is there a way to turn off Remeha for half a day or so and see if the entries persist?

If you do turn off IPv6, you might need to remember that sometime down the road, if you ever use Matter (which does need IPv6).

It’s been turned off for more than a year so this is not relevant.

To give you an idea of the timings, here’s all the relevant lines from the log file that I could find (manual, may have missed one)

Dec 14 13:45:01 kern.alert kernel: [17299221.362760] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.250.179.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=30240 DF PROTO=ICMP TYPE=8 CODE=0 ID=11629 SEQ=256 ZEXTMARK=0x8 
Dec 17 04:27:26 kern.alert kernel: [17524724.915863] PING OF DEATH ATTACK:IN=eth1.3 OUT= MAC=f8:0d:a9:0f:d0:7e:00:0e:00:00:00:01:08:00 SRC=192.169.110.46 DST=95.99.70.71 LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=62651 PROTO=ICMP TYPE=8 CODE=0 ID=32049 SEQ=6290 
Dec 17 04:27:27 kern.alert kernel: [17524726.014047] PING OF DEATH ATTACK:IN=eth1.3 OUT= MAC=f8:0d:a9:0f:d0:7e:00:0e:00:00:00:01:08:00 SRC=192.169.110.46 DST=95.99.70.71 LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=62655 PROTO=ICMP TYPE=8 CODE=0 ID=32049 SEQ=6768 
Dec 17 10:20:20 kern.alert kernel: [17545876.467074] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.250.179.170 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=46791 DF PROTO=ICMP TYPE=8 CODE=0 ID=37005 SEQ=256 ZEXTMARK=0x8 
ec 17 22:20:28 kern.alert kernel: [17589038.380967] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=172.217.168.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=540 DF PROTO=ICMP TYPE=8 CODE=0 ID=59801 SEQ=256 ZEXTMARK=0x8 
Dec 17 22:20:28 kern.alert kernel: [17589038.409795] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=172.217.168.234 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=43616 DF PROTO=ICMP TYPE=8 CODE=0 ID=21855 SEQ=256 ZEXTMARK=0x8 
Dec 18 10:20:32 kern.alert kernel: [17632195.594789] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.251.142.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=48714 DF PROTO=ICMP TYPE=8 CODE=0 ID=18157 SEQ=256 ZEXTMARK=0x8 
Dec 20 10:20:55 kern.alert kernel: [17804833.793734] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=172.217.23.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=37530 DF PROTO=ICMP TYPE=8 CODE=0 ID=18598 SEQ=256 ZEXTMARK=0x8 
Dec 21 00:46:18 kern.alert kernel: [17856702.331540] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.251.36.10 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=36710 DF PROTO=ICMP TYPE=8 CODE=0 ID=39909 SEQ=256 ZEXTMARK=0x8 
Dec 21 00:46:18 kern.alert kernel: [17856702.352705] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.251.142.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=6685 DF PROTO=ICMP TYPE=8 CODE=0 ID=65240 SEQ=256 ZEXTMARK=0x8 
Dec 21 12:46:24 kern.alert kernel: [17899862.176596] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.250.179.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=64782 DF PROTO=ICMP TYPE=8 CODE=0 ID=53857 SEQ=256 ZEXTMARK=0x8 
Dec 23 01:17:29 kern.alert kernel: [18031186.690705] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=216.58.214.10 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=13663 DF PROTO=ICMP TYPE=8 CODE=0 ID=62018 SEQ=256 ZEXTMARK=0x8 
Dec 25 13:17:53 kern.alert kernel: [18246979.041666] PING OF DEATH ATTACK:IN=br0 OUT= MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=34692 DF PROTO=ICMP TYPE=8 CODE=0 ID=21949 SEQ=0 ZEXTMARK=0x8 
Dec 26 01:17:54 kern.alert kernel: [18290133.935080] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.250.179.138 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=46324 DF PROTO=ICMP TYPE=8 CODE=0 ID=34286 SEQ=256 ZEXTMARK=0x8 
Dec 26 13:17:58 kern.alert kernel: [18333291.246980] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=172.217.23.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=37406 DF PROTO=ICMP TYPE=8 CODE=0 ID=52523 SEQ=256 ZEXTMARK=0x8 
Dec 26 13:17:58 kern.alert kernel: [18333291.738313] PING OF DEATH ATTACK:IN=br0 OUT= MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=12911 DF PROTO=ICMP TYPE=8 CODE=0 ID=29304 SEQ=0 ZEXTMARK=0x8 
Dec 27 01:18:06 kern.alert kernel: [18376453.554286] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=172.217.23.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=2805 DF PROTO=ICMP TYPE=8 CODE=0 ID=12902 SEQ=256 ZEXTMARK=0x8 
Dec 28 01:18:14 kern.alert kernel: [18462769.152528] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=172.217.168.234 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=41460 DF PROTO=ICMP TYPE=8 CODE=0 ID=37809 SEQ=256 ZEXTMARK=0x8 
Jan  1 01:18:37 kern.alert kernel: [18808022.844209] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=216.58.208.106 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=21519 DF PROTO=ICMP TYPE=8 CODE=0 ID=10008 SEQ=256 ZEXTMARK=0x8 
Jan  1 01:18:37 kern.alert kernel: [18808022.873260] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.250.179.170 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=24026 DF PROTO=ICMP TYPE=8 CODE=0 ID=53517 SEQ=256 ZEXTMARK=0x8 
Jan  1 13:18:46 kern.alert kernel: [18851185.876212] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.250.179.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=50837 DF PROTO=ICMP TYPE=8 CODE=0 ID=55767 SEQ=256 ZEXTMARK=0x8 
Jan  2 15:16:49 kern.alert kernel: [18944568.984363] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:50:23:6d:38:38:6d:08:00 SRC=192.168.100.203 DST=96.16.250.18 LEN=28 TOS=0x00 PREC=0x00 TTL=3 ID=22966 PROTO=ICMP TYPE=8 CODE=0 ID=4864 SEQ=0 ZEXTMARK=0x8 
Jan  3 01:18:56 kern.alert kernel: [18980657.626468] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.250.179.170 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=455 DF PROTO=ICMP TYPE=8 CODE=0 ID=33284 SEQ=256 ZEXTMARK=0x8 
Jan  3 13:19:03 kern.alert kernel: [19023817.843163] PING OF DEATH ATTACK:IN=br0 OUT=eth1.3 MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=142.251.142.202 LEN=220 TOS=0x00 PREC=0x00 TTL=62 ID=14799 DF PROTO=ICMP TYPE=8 CODE=0 ID=7772 SEQ=256 ZEXTMARK=0x8 

Note the weird 12hr intervals with some skips and jumps. Note also the single report from a different device, and two from a 192.169 IP address, which I frankly do not know what it is. There’s some external attacks too that I removed.

I’ve had no warnings since I reported this here, which isn’t to say it’s gone, since there were similar long intervals between reports. It could have been related to the Google Drive Backup addon, which was installed and I had forgotten to remove it after the backup upgrades last year. I removed it yesterday as part of a bit of cleanup that also led me to these router log files.

I will monitor over the coming days and check if it comes back.

I wish manufacturers of routers and firewalls would stop making those predefined filters.
Users have no clue would they sign into and can therefore not react properly to messages.
If they had to configure all the trigger points themself, then they would know what caused it to pop up.

Ping of death is something from the around the start of the century.
It does not really exist today, where you need a botnet and someway to amplify the signal to make network or servers gear die.

Using a website with whois IP service information it is quickly listed as being Google servers the 192.168.100.26 machine connects to.
192.168.100.203 connects to a Microsoft server.

It is only 192.169.110.46 that connects to a server that is not easily recognizable.
It looks like it is a private fiber connection (FTTH) in T-mobile.nl network.

So most of these lines are just false positives.

Yes, I already posted above that the server that is contacted belongs to Google. The main question is what sort of communication my HA instance is sending out that causes my router to think there is a POD attack coming from there.
I’m with you on the poor transparency of router functions! It drives me nuts since I have network problems now and then and I can’t properly diagnose them.

I might actually get a new router to handle the internal network and repurpose this one from the provider to only handle communication to the outside world. If anyone has a recommendation for a router that gives good control I am open to suggestions. (Suitable for EU/Netherlands)

Unless you actually know what the triggers are for that filter it is pretty much impossible to say for certain. That is why the filters often do not make sense to use.
It can be that the filter does not take IPv6 in consideration.

Opnsense and Pfsense devices are really good ones, but also advanced to handle.
If you are using Unify, then I think they have some too.

I personally use an Ubiquiti EdgeRouter 4. Note the GUI is still really centered on IPv4. IPv6 is done through a config tree, which can be accessed through the GUI too, but the explanations for the settings are missing, so you need to use other sources to figure them out.

Thanks for the tips, I’ll look in to it

I haven’t seen any new warnings about pings to the outside world yet since uninstalling the Google Backup addon, but there was a message this morning kernel: [19235264.647058] PING OF DEATH ATTACK:IN=br0 OUT= MAC=f8:0d:a9:0f:d0:79:0c:96:e6:20:2d:89:08:00 SRC=192.168.100.26 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=558 DF PROTO=ICMP TYPE=8 CODE=0 ID=7553 SEQ=0 ZEXTMARK=0x8

The destination is my router, which is one of the few devices I actually send Pings to every few minutes, to check if my instance is still connected to the local network.