I monitor my network traffic and recently received a notification that my Sonos Play 3 was accessing a phishing site at 1:03 AM (a time when the system was not being used). As part of the monitoring I have noticed over time that all my Sonos devices connect to random IP addresses once per hour via port 123 (UDP). It’s my understand this is network time protocol used for synchronization. However after months of monitoring I received the following notification for the first time.
”Device Sonos Play 3 is accessing phishing site 22.214.171.124.“
After further investigation it seems like this IP address (126.96.36.199) has been identified as an unsecured phishing site. I did a Whois search and the domain owner is digital ocean which seems normal for the UDP sync. When navigating to the site via web browser it appears to be a default message saying nginx has been successfully installed.
Has anyone else seen an issue like this or ran into issues with the IP address block 188.8.131.52/16?
Best answer by ratty
The address is a hosting provider, but for some reason has apparently made it onto blacklists. Google blocks it as potentially “deceptive” owing to phishing reports.
There are references to north-america.pool.ntp.org in conjunction with that IP, which seems logical for UDP 123 traffic.