11-08-2018 03:11 AM
So I have four Wemo devices. Two mini plugs, a regular plug, and one light switch.
The two mini plugs have been using excessive amount of traffic on them. For example, over two weeks about 3 gigs down and one gig up whereas the other devices were at 3 megs down, 14 megs up.
So of course I assumed they were compromised, put a firewall block in, and got to Belkin support, and esclated to level two.
Well the tech person asked me a question where I slapped the **bleep** out of myself for being so stupid as to not think of it myself first.
"Do we know that traffic is going in/out on the Internet or is it just internally on your LAN?"
Well duh, didn't think of that. So since I have two behaving like that, I put in a firewall rule to block only one of the two and see what happens.
Well by golly, they both are still clocking the same amount of traffic. Granted maybe my router is counting dropped packets in its stats but if it was a bot it'd have to also be getting data coming in.
Anyway, so maybe not compromised. Also looking at logs I turned on, I don't see any connection attempts except to AWS on ports that Wemos use.
But my one question that I'm finally getting to. I see a LOT of connection attempts to 184.108.40.206 port 60000. So that has me concerned. That addressing scheme is not part of my network at all, and it certainly isn't being routed outside.
Any ideas on what that might be about?