What's new

Skynet Skynet security issue: Causing denial of service

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Morris

Very Senior Member
Over the past week or two Skynet using default settings has blocked: Microsoft Update and www.microcenter.com. A denial of service is the largest security issue there is. I was very happy till this started happening. It's not acceptable so I'm uninstalling.

I'll check in at a later date to see if resolved.

Morris
 
Did you register a similar complaint with the site that maintains the malware lists that Skynet downloads for you?
 
Did you register a similar complaint with the site that maintains the malware lists that Skynet downloads for you?

I have no idea what list is at fault nor what lists are involved. I've looked at the announcement post instructions and followed it's links. I do not see any documentation as to what lists it's using.

Morris
 
Thank you Dave,

I did not find microcenter.com in any of them. I seem to recall the option to include Trend Micro's list. Could be them or on of the list has corrected. Investigating further.

Morris

I've reinstalled and I'm no longer seeing the blocks. Somebody fixed there error and the fresh tables cleared the issue. I reload daily as recomended

Morris
 
These are IP lists, not hostname lists, so you can search within Skynet to see which list contains the IP of the site.
Code:
firewall stats search ip 66.194.187.21
 
These are IP lists, not hostname lists, so you can search within Skynet to see which list contains the IP of the site.
Code:
firewall stats search ip 66.194.187.21

I downloaded each list and did not find the IP. I searched by IP. The command seems to rely on the log and it was cleared when I uninstalled.
 
Morris, if there's an erroneous entry in the blocklists, it's usually rectified fairly quickly. Happens occasionally, I just deal with it knowing it's temporary. Alternatively, you can add that IP to your whitelist and go about your business.
 
Morris, if there's an erroneous entry in the blocklists, it's usually rectified fairly quickly. Happens occasionally, I just deal with it knowing it's temporary. Alternatively, you can add that IP to your whitelist and go about your business.

Windows Update was blocked for at least 4 days. It was it was first reported on this forum on November 20 as a block of an entire Microsoft IP block.
When I saw Windows Update not working, a huge risk to that uses Skynet, I whitelisted it for myself. I would not call this a quick fix. It is a bit more obscure than Microcenter that was corrected quickly. Possibly we need more frequent list updates as an option.

When security becomes an obstacle to operation, security fails and this is a huge security risk.
 
Windows Update was blocked for at least 4 days. It was it was first reported on this forum on November 20 as a block of an entire Microsoft IP block.
When I saw Windows Update not working, a huge risk to that uses Skynet, I whitelisted it for myself. I would not call this a quick fix. It is a bit more obscure than Microcenter that was corrected quickly. Possibly we need more frequent list updates as an option.

When security becomes an obstacle to operation, security fails and this is a huge security risk.

Looking at the default black lists found at:

I'm excluding
https://iplists.firehol.org/files/spamhaus_edrop.netset
as it blocks entire ranges and that's too aggressive for my taste. This list is implicated in the Windows Update issue as well as Linkin

When I do an exclude, dose this filter survive:
- list updates
- Skynet updates?

Thank you,

Morris
 
Windows Update was blocked for at least 4 days. It was it was first reported on this forum on November 20 as a block of an entire Microsoft IP block.
When I saw Windows Update not working, a huge risk to that uses Skynet, I whitelisted it for myself. I would not call this a quick fix. It is a bit more obscure than Microcenter that was corrected quickly. Possibly we need more frequent list updates as an option.

When security becomes an obstacle to operation, security fails and this is a huge security risk.

Having removed the only list I could find with ranges of ip's, I'm confused by what I'm seeing in my log:
Nov 28 08:00:02 RT-AC86U-49C8 Skynet: [#] 87692 IPs (+0) -- 1730 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [save] [2s]
Nov 28 08:17:05 RT-AC86U-49C8 Skynet: [#] 87399 IPs (-293) -- 1605 Ranges Banned (-125) || 0 Inbound -- 0 Outbound Connections Blocked! [banmalware] [18s]

Where are the other ranges coming from?

Thank you,

Morris
 
there are quite a few other posts for skynet firehol level 3 blocking microsoft sites. Try updating your whitelists manually first and read through some of the more recent skynet posts.
 
Skynet hasn't been blocking my access to MS sites. Not for me, or for any of my customers with Asus + RMerlin powered routers.

How does the issue appear when it is blocked?

For completeness, www.microcenter.com is blocked here.
 
there are quite a few other posts for skynet firehol level 3 blocking microsoft sites. Try updating your whitelists manually first and read through some of the more recent skynet posts.

That is exactly what I did. I suspect you did not read my posts.
 
Skynet hasn't been blocking my access to MS sites. Not for me, or for any of my customers with Asus + RMerlin powered routers.

How does the issue appear when it is blocked?

For completeness, www.microcenter.com is blocked here.

Windows Update shows the updates and then starts to download staying at 0%. You will not notice this unless you look at windows update. All 7 of the Windows systems on my network had the same symptom and every one of them showed up in the Skynet log attempting to connect to the same IP which turns out to be registered to Microsoft. As soon as I white listed that IP the downloads proceeded on all 7 systems.
 
Skynet hasn't been blocking my access to MS sites. Not for me, or for any of my customers with Asus + RMerlin powered routers.

How does the issue appear when it is blocked?

For completeness, www.microcenter.com is blocked here.

Microcenter is working again for me as is Windows Update without the white list. Do you know which list is blocking microcenter? Some of the lists may be more trustworthy than others. Dose anyone track this?
 
I don't care about accessing Microcenter, I just tested for you here. I don't touch the lists. Everything I need is working without issues.

Some of these Windows updates are like that. I just let them finish (and they do).
 
I don't care about accessing Microcenter, I just tested for you here. I don't touch the lists. Everything I need is working without issues.

Some of these Windows updates are like that. I just let them finish (and they do).

I appreciate your testing for me. The Windows Updates sat like that for days and as soon as I white listed the IP the download started. I've seen Windows Updates pause as well yet never like this.
 
...since Adamm isn't around...

start by checking your logs and see what the ip block is for the sites that are being blocked and whitelist the ip range

for example, the system log shows outgoing block for x.x.x.x ip address

check and see why its being blocked in skynet

from ssh in the router
"firewall stats search ip x.x.x.x"

it will tell you why skynet is blocking the ip or range

goto myip.ms and see who owns the block and which country or region
check the IP block to see who owns it and the region its from and the range
"https://myip.ms/info/whois/x.x.x.x"

and finally whitelist it if you must
whitelist the ip address or range
"firewall whitelist ip 66.194.187.21"


if you are going to drive a car, you are going to learn how to drive and get a license. We will be testing you on you skynet knowledge when you reach level 2

:D


Here is the exact solution for your problem:

ping www. microcenter.com shows it resolves to 66.194.187.21 (or you can check your logs as i said above)

checking skynet for why its being blocked
admin@RT-AC88U-17F0:/tmp/home/root# firewall stats search ip 66.194.187.21

the result...

blah...blah...blah

Blacklist Reason;
"BanMalware: firehol_level3.netset"

it was blocked because it was reported as malicious by firehol level 3 ipset. Now you can either try to get it removed from the ipset, or you can just whitelist it yourself. Your choice

firewall whitelist ip 175.115.37.52

or remove firehol level 3 as a source if you don't like what they are reporting


either way its really not skynet which is causing the problem
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top