So I’ve had this issue the past couple of months now, and it seems to be getting more frequent again. I did some digging and found out that the IPS (Intrusion Prevention System) in my Ubiquiti USG-Pro router is, for some reason, blocking connections to Blizzard IPs due to detecting a trojan.
Threat Management Alert 1: A Network Trojan was Detected. Signature ET TROJAN Netwire RAT Check-in
This seems to be coming from both Blizzard-owned subnets, and some google ones. I’ve found a couple of threads on this, and will be linked below. I did end up whitelisting a few of the subnets as described from the ubiquiti forum post, however I seem to still be getting this from google IPs - which still disrupts my game connection.
I have to assume they’re false-positives, but I don’t think I’ll be turning IPS off. If a blizz rep sees this, could I get a list of blizzard-owned subnets that I could whitelist?
Apologies for somewhat necro-bumping this, but I’ve run into the same issue recently. After getting partial DC’d like this several times during M+ runs, I’ve gone and aggressively whitelisted most of the subnets in Blizzard ASN (AS57976). The following subnets are what I’ve whitelisted:
24.105.0.0/18 (US)
37.244.0.0/18 (EU/US)
59.153.40.0/22 (JP)
103.198.32.0/23 (AU)
137.221.64.0/18 (EU)
158.115.192.0/19 (US)
185.60.112.0/22 (EU)
198.74.32.0/21 (US)
Blizzard is also leveraging GCP (Google Cloud Platform) now with Shadowlands, so there’s some non-Blizzard IPs that have been tripping this as well (search logs for port 3724 on one end). I didn’t want to disable all IPS for everything on GCP, but without knowing what allocation Blizzard has there, it’s hard to cover everything.
As a compromise, I added a signature suppression for “ET MALWARE Netwire RAT Check-in” and “ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 103” (the two signatures I have flagged in my logs) for 34.64.0.0/10. N.B. this is a rather large IP range, covering 34.64.0.0 - 34.127.255.255. These are all GCP IP addresses, but Blizzard does not control what’s on the vast majority of this IP space. I determined this to be an acceptable risk. Most of the subnets are part of AS15169 (GOOGL-2 / Google LLC), but some are in AS139070 (GOOGLE-CLOUD / Google Asia Pacific Pte. Ltd.). There are also many other networks in AS15169, but until I see any Blizzard traffic from them, I’m opting not to add them.
This thread was an absolute lifesaver. I just installed a UDM a few weeks ago and ever since in M+ I would experience exactly what is mentioned here due to IPS. Added the whitelists and seems to be resolved so far. Great job!