Skynet Skynet security issue: Causing denial of service

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Morris

Regular Contributor
Over the past week or two Skynet using default settings has blocked: Microsoft Update and www.microcenter.com. A denial of service is the largest security issue there is. I was very happy till this started happening. It's not acceptable so I'm uninstalling.

I'll check in at a later date to see if resolved.

Morris
 

dave14305

Part of the Furniture
Did you register a similar complaint with the site that maintains the malware lists that Skynet downloads for you?
 

Morris

Regular Contributor
Did you register a similar complaint with the site that maintains the malware lists that Skynet downloads for you?
I have no idea what list is at fault nor what lists are involved. I've looked at the announcement post instructions and followed it's links. I do not see any documentation as to what lists it's using.

Morris
 

Morris

Regular Contributor
Thank you Dave,

I did not find microcenter.com in any of them. I seem to recall the option to include Trend Micro's list. Could be them or on of the list has corrected. Investigating further.

Morris
I've reinstalled and I'm no longer seeing the blocks. Somebody fixed there error and the fresh tables cleared the issue. I reload daily as recomended

Morris
 

dave14305

Part of the Furniture
These are IP lists, not hostname lists, so you can search within Skynet to see which list contains the IP of the site.
Code:
firewall stats search ip 66.194.187.21
 

Morris

Regular Contributor
These are IP lists, not hostname lists, so you can search within Skynet to see which list contains the IP of the site.
Code:
firewall stats search ip 66.194.187.21
I downloaded each list and did not find the IP. I searched by IP. The command seems to rely on the log and it was cleared when I uninstalled.
 

JaimeZX

Senior Member
Morris, if there's an erroneous entry in the blocklists, it's usually rectified fairly quickly. Happens occasionally, I just deal with it knowing it's temporary. Alternatively, you can add that IP to your whitelist and go about your business.
 

Morris

Regular Contributor
Morris, if there's an erroneous entry in the blocklists, it's usually rectified fairly quickly. Happens occasionally, I just deal with it knowing it's temporary. Alternatively, you can add that IP to your whitelist and go about your business.
Windows Update was blocked for at least 4 days. It was it was first reported on this forum on November 20 as a block of an entire Microsoft IP block.
When I saw Windows Update not working, a huge risk to that uses Skynet, I whitelisted it for myself. I would not call this a quick fix. It is a bit more obscure than Microcenter that was corrected quickly. Possibly we need more frequent list updates as an option.

When security becomes an obstacle to operation, security fails and this is a huge security risk.
 

Morris

Regular Contributor
Windows Update was blocked for at least 4 days. It was it was first reported on this forum on November 20 as a block of an entire Microsoft IP block.
When I saw Windows Update not working, a huge risk to that uses Skynet, I whitelisted it for myself. I would not call this a quick fix. It is a bit more obscure than Microcenter that was corrected quickly. Possibly we need more frequent list updates as an option.

When security becomes an obstacle to operation, security fails and this is a huge security risk.
Looking at the default black lists found at:

I'm excluding
https://iplists.firehol.org/files/spamhaus_edrop.netset
as it blocks entire ranges and that's too aggressive for my taste. This list is implicated in the Windows Update issue as well as Linkin

When I do an exclude, dose this filter survive:
- list updates
- Skynet updates?

Thank you,

Morris
 

Morris

Regular Contributor
Windows Update was blocked for at least 4 days. It was it was first reported on this forum on November 20 as a block of an entire Microsoft IP block.
When I saw Windows Update not working, a huge risk to that uses Skynet, I whitelisted it for myself. I would not call this a quick fix. It is a bit more obscure than Microcenter that was corrected quickly. Possibly we need more frequent list updates as an option.

When security becomes an obstacle to operation, security fails and this is a huge security risk.
Having removed the only list I could find with ranges of ip's, I'm confused by what I'm seeing in my log:
Nov 28 08:00:02 RT-AC86U-49C8 Skynet: [#] 87692 IPs (+0) -- 1730 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [save] [2s]
Nov 28 08:17:05 RT-AC86U-49C8 Skynet: [#] 87399 IPs (-293) -- 1605 Ranges Banned (-125) || 0 Inbound -- 0 Outbound Connections Blocked! [banmalware] [18s]

Where are the other ranges coming from?

Thank you,

Morris
 

agilani

Very Senior Member
there are quite a few other posts for skynet firehol level 3 blocking microsoft sites. Try updating your whitelists manually first and read through some of the more recent skynet posts.
 

L&LD

Part of the Furniture
Skynet hasn't been blocking my access to MS sites. Not for me, or for any of my customers with Asus + RMerlin powered routers.

How does the issue appear when it is blocked?

For completeness, www.microcenter.com is blocked here.
 

Morris

Regular Contributor
there are quite a few other posts for skynet firehol level 3 blocking microsoft sites. Try updating your whitelists manually first and read through some of the more recent skynet posts.
That is exactly what I did. I suspect you did not read my posts.
 

Morris

Regular Contributor
Skynet hasn't been blocking my access to MS sites. Not for me, or for any of my customers with Asus + RMerlin powered routers.

How does the issue appear when it is blocked?

For completeness, www.microcenter.com is blocked here.
Windows Update shows the updates and then starts to download staying at 0%. You will not notice this unless you look at windows update. All 7 of the Windows systems on my network had the same symptom and every one of them showed up in the Skynet log attempting to connect to the same IP which turns out to be registered to Microsoft. As soon as I white listed that IP the downloads proceeded on all 7 systems.
 

Morris

Regular Contributor
Skynet hasn't been blocking my access to MS sites. Not for me, or for any of my customers with Asus + RMerlin powered routers.

How does the issue appear when it is blocked?

For completeness, www.microcenter.com is blocked here.
Microcenter is working again for me as is Windows Update without the white list. Do you know which list is blocking microcenter? Some of the lists may be more trustworthy than others. Dose anyone track this?
 

L&LD

Part of the Furniture
I don't care about accessing Microcenter, I just tested for you here. I don't touch the lists. Everything I need is working without issues.

Some of these Windows updates are like that. I just let them finish (and they do).
 

Morris

Regular Contributor
I don't care about accessing Microcenter, I just tested for you here. I don't touch the lists. Everything I need is working without issues.

Some of these Windows updates are like that. I just let them finish (and they do).
I appreciate your testing for me. The Windows Updates sat like that for days and as soon as I white listed the IP the download started. I've seen Windows Updates pause as well yet never like this.
 

agilani

Very Senior Member
...since Adamm isn't around...

start by checking your logs and see what the ip block is for the sites that are being blocked and whitelist the ip range

for example, the system log shows outgoing block for x.x.x.x ip address

check and see why its being blocked in skynet

from ssh in the router
"firewall stats search ip x.x.x.x"

it will tell you why skynet is blocking the ip or range

goto myip.ms and see who owns the block and which country or region
check the IP block to see who owns it and the region its from and the range
"https://myip.ms/info/whois/x.x.x.x"

and finally whitelist it if you must
whitelist the ip address or range
"firewall whitelist ip 66.194.187.21"


if you are going to drive a car, you are going to learn how to drive and get a license. We will be testing you on you skynet knowledge when you reach level 2

:D


Here is the exact solution for your problem:

ping www. microcenter.com shows it resolves to 66.194.187.21 (or you can check your logs as i said above)

checking skynet for why its being blocked
[email protected]:/tmp/home/root# firewall stats search ip 66.194.187.21

the result...

blah...blah...blah

Blacklist Reason;
"BanMalware: firehol_level3.netset"

it was blocked because it was reported as malicious by firehol level 3 ipset. Now you can either try to get it removed from the ipset, or you can just whitelist it yourself. Your choice

firewall whitelist ip 175.115.37.52

or remove firehol level 3 as a source if you don't like what they are reporting


either way its really not skynet which is causing the problem
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top