Answered

Sonos Devices Connecting to unsecure IP addresses

  • 20 March 2021
  • 4 replies
  • 64 views

I monitor my network traffic and recently received a notification that my Sonos Play 3 was accessing a phishing site at 1:03 AM (a time when the system was not being used). As part of the monitoring I have noticed over time that all my Sonos devices connect to random IP addresses once per hour via port 123 (UDP). It’s my understand this is network time protocol used for synchronization. However after months of monitoring I received the following notification for the first time.

”Device Sonos Play 3 is accessing phishing site 104.236.116.147.“

After further investigation it seems like this IP address (104.236.116.147) has been identified as an unsecured phishing site. I did a Whois search and the domain owner is digital ocean which seems normal for the UDP sync. When navigating to the site via web browser it appears to be a default message saying nginx has been successfully installed.

Has anyone else seen an issue like this or ran into issues with the IP address block 104.236.0.0/16?

icon

Best answer by ratty 20 March 2021, 14:33

The address is a hosting provider, but for some reason has apparently made it onto blacklists. Google blocks it as potentially “deceptive” owing to phishing reports.

There are references to north-america.pool.ntp.org in conjunction with that IP, which seems logical for UDP 123 traffic.

View original

4 replies

Userlevel 7
Badge +21

What was the Play:3 playing at the time? Sounds like it is probably streaming a url from that address. Do you have the full url it was accessing, or the UDP port number?

That’s the strange thing. It was not streaming anything at the time. The Sonos system was not being used. Do not have the url, only the IP listed above and UDP 123.

The address is a hosting provider, but for some reason has apparently made it onto blacklists. Google blocks it as potentially “deceptive” owing to phishing reports.

There are references to north-america.pool.ntp.org in conjunction with that IP, which seems logical for UDP 123 traffic.

Userlevel 7
Badge +21

You can redirect the Sonos NTP queries to a local NTP server or a different distant one of your choice by tweaking your router’s DNS to IP conversion.

Reply