Lag spike that never recovers

Support Technical Support
1

RESOLVED! This thread will be useful to you if you use Ubiquiti security appliances, or any other advanced routers/firewalls. In a nutshell:

  • Blizzard has start doing something strange in Shadowlands which is tripping an Intrusion Prevention Rule in Ubiquiti called “ET MALWARE Netwire RAT Check-in”
  • Suppress this rule from the Unifi console and see if it improves your situation
  • The preferable resolution would be for Blizzard to stop doing whatever is tripping this rule
  • The second best approach is suppression based on destination (whitelist all blizzard IPs), but I don’t have a definitive list of WoW server subnets :frowning:

homies let me know if you have any advice. for the last few weeks

  • wow lags and does not recover. i.e. wait 1 minute and it doesn’t come back. it happens in pretty much every single dungeon, sometimes multiple times
  • the game is not frozen, I can run around, I can see my animations, etc, but I cannot see anyone else moving
  • I can still send in-game text chat and others receive it
  • /reload doesnt help
  • i have to alt-f4 and come back in
  • I have disabled all addons that I don’t absolutely need. I have no new addons… same as always
  • [Update] I have disabled all addons and renamed the folder!
  • [Update] I have reinstalled WOW on another HDD - no improvement
  • [Update] WinMTR results below
  • [Update] My partner never experiences this issue, and is on the same network (plugged into the exact same switch, and I have replaced the Cat6 cable to my PC just to be sure.
2

Usually it’s best to rename the addon folder and try playing with none to rule out addons.

Let us know how it goes after the reinstall.

3

@Elocin - thank you, and I agree, that will have to be the next step. Reinstalling to a new SSD has showed no improvements. While looking into it as a network problem… I followed this post: Using WinMTR to troubleshoot lag issues inside SL dungeons/raids

I found two IPs that showed ESTABLISHED, so I WinMTR’d both:

C:\WINDOWS\system32>netstat -an | findstr 3724
TCP 192.168.2.55:51239 35.226.216.87:3724 TIME_WAIT
TCP 192.168.2.55:51435 24.105.32.63:3724 TIME_WAIT
TCP 192.168.2.55:51440 24.105.34.10:3724 ESTABLISHED
TCP 192.168.2.55:51513 35.226.216.87:3724 ESTABLISHED

For IP: 24.105.34.10

WinMTR Statistics

WinMTR statistics

Host % Sent Recv Best Avrg Wrst Last
unifi.localdomain 19 2701 2212 0 0 15 0
192.168.1.254 17 2827 2369 0 0 16 1
209.121.122.65 1 4616 4615 1 1 21 4
STTLWAWBCI01.bb.telus.com 0 4620 4620 4 4 30 4
154.11.2.145 1 4612 4610 4 9 111 5
ae1-br02-eqse2.as57976.net 0 4620 4620 53 59 174 71
No response from host 100 932 0 0 0 0 0
et-0-0-1-pe04-eqch2.as57976.net 0 4620 4620 52 56 176 53
chi-eqch2-ia-bons-04.as57976.net 0 4620 4620 53 54 66 58
24.105.62.151 1 4616 4615 53 54 70 53
No response from host 100 932 0 0 0 0 0
... truncated the rest

My understanding is 4616 packets were sent to the server, 4615 were received. Not bad???

For IP: 35.226.216.87

WinMTR Statistics

WinMTR statistics

Host % Sent Recv Best Avrg Wrst Last
unifi.localdomain 16 2879 2446 0 0 16 0
192.168.1.254 17 2752 2286 0 0 16 0
209.121.122.65 1 4567 4565 0 1 18 2
QUBCPQAJDR02.bb.telus.com 1 4567 4565 4 5 35 5
209.85.174.62 1 4571 4570 4 4 18 4
No response from host 100 923 0 0 0 0 0
74.125.253.66 0 4574 4574 4 4 16 5
108.170.245.124 0 4574 4574 4 5 156 6
142.250.228.156 72 1198 343 10 13 64 11
216.239.50.42 65 1285 452 44 45 56 45
172.253.76.24 0 4575 4575 44 45 57 46
142.250.58.185 1 4567 4565 45 47 122 47
No response from host 100 923 0 0 0 0 0
... truncated the rest

My understanding is 4567 packets were sent to the server, 4565 were received. Not bad???

How does it look to you guys?

4

It looks weird. You can’t just look at the end of it.

The first 2 hops show far fewer packets (2701 and 2879) than are received at the end (4616 and 4567). Along the way are sites that don’t show that many packets making it at all, which could be ICMP mitigation, or not.

I’d start looking at your home network given that it is recording only about 55% of the packets that are showing at the end of the run.

Edit - if that’s uniquity -unifi equipment on your home network, this thread may help.

5

Correct.

You should try the UI reset first.

And I realize you’re not on FiOS, but trying another packet type (not ICMP like WinMTR uses) may help if reset doesn’t do anything. For this I recommend using PingPlotter. More info can be found in my previous post to another player here:

6

Holy sh!t!!! Definitely running ubiquiti gear and definitely have IPS turned on. What is very very strange is my partner plays wow all the time and has never had this issue. Either way, I’m bypassing ubiquiti to test.

Thank you thank you thank. I was about to throw my PC out my window. And given the shortage of GPUs these days, I may have stopped playing WoW completely. But I have Ubiquiti gear, and I have IPS enabled, and I am SUPER HOPEFUL you guys are onto the problem. I just checked my IPS logs and found:
04/12/2021 3:32 pm Malware ET MALWARE Netwire RAT Check-in 34.123.149.90 : 3724 192.168.2.55 : 51799
This is the exact time that my dungeon “froze”… all graphics working fine, able to chat with team, but no one else is moving.
I WILL REPORT BACK!

Damn… look at the log from yesterday. I was actually RAGING with the “freezes”

04/11/2021 8:42 pm Malware ET MALWARE Netwire RAT Check-in 35.226.216.87 : 3724 192.168.2.55 : 51513 SUPPRESS
04/11/2021 7:07 pm Malware ET MALWARE Netwire RAT Check-in 34.72.65.159 : 3724 192.168.2.55 : 64897 SUPPRESS
04/11/2021 6:58 pm Malware ET MALWARE Netwire RAT Check-in 34.72.65.159 : 3724 192.168.2.55 : 64680 SUPPRESS
04/11/2021 6:18 pm Malware ET MALWARE Netwire RAT Check-in 24.105.35.226 : 3724 192.168.2.55 : 62049 SUPPRESS
04/11/2021 4:28 pm Malware ET MALWARE Netwire RAT Check-in 24.105.36.37 : 3724 192.168.2.55 : 59282 SUPPRESS
04/11/2021 3:22 pm Malware ET MALWARE Netwire RAT Check-in 35.193.56.200 : 3724 192.168.2.55 : 56194 SUPPRESS
04/11/2021 12:36 pm Malware ET MALWARE Netwire RAT Check-in 24.105.33.158 : 3724 192.168.2.55 : 49898 SUPPRESS
04/11/2021 12:14 pm Malware ET MALWARE Netwire RAT Check-in 24.105.33.158 : 3724 192.168.2.55 : 49533
7

Necro thread but I am having a similar scenario with Threat Management enabled on my UDM Pro. I have been able to play without issue but my wife gets these freezes and at the same time I get the ET MALWARE Netwire RAT Check-in alert from UDM.

For now I am suppressing the signature to “fix” the issue but Blizzard certainly needs to investigate this on their end as it is absolutely coming from their infrastructure. Here are some log entries from my UDM showing Blizzard subnets as the source.

Overview

Date
Feb 17 2022
Time
1:03 pm
Origin

Service
ET MALWARE Netwire RAT Check-in
Category
Malware
Type
A Network Trojan was detected
Source IP
34.83.151.72
Destination IP
10.0.1.42
Severity
Concerning
Activity
61.1 MB
Interface
br0
Protocol
TCP

Date
Feb 12 2022
Time
12:45 pm
Origin

Service
ET MALWARE Netwire RAT Check-in
Category
Malware
Type
A Network Trojan was detected
Source IP
34.71.115.248
Destination IP
10.0.1.42
Severity
Concerning
Activity
5.85 MB
Interface
br0
Protocol
TCP

Date
Feb 12 2022
Time
11:59 am
Origin

Service
ET MALWARE Netwire RAT Check-in
Category
Malware
Type
A Network Trojan was detected
Source IP
24.105.32.32
Destination IP
10.0.1.42
Severity
Concerning
Activity
2.13 MB
Interface
br0
Protocol
TCP