Apologies for somewhat necro-bumping this, but I’ve run into the same issue recently. After getting partial DC’d like this several times during M+ runs, I’ve gone and aggressively whitelisted most of the subnets in Blizzard ASN (AS57976). The following subnets are what I’ve whitelisted:
24.105.0.0/18 (US)
37.244.0.0/18 (EU/US)
59.153.40.0/22 (JP)
103.198.32.0/23 (AU)
137.221.64.0/18 (EU)
158.115.192.0/19 (US)
185.60.112.0/22 (EU)
198.74.32.0/21 (US)
Blizzard is also leveraging GCP (Google Cloud Platform) now with Shadowlands, so there’s some non-Blizzard IPs that have been tripping this as well (search logs for port 3724 on one end). I didn’t want to disable all IPS for everything on GCP, but without knowing what allocation Blizzard has there, it’s hard to cover everything.
As a compromise, I added a signature suppression for “ET MALWARE Netwire RAT Check-in” and “ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 103” (the two signatures I have flagged in my logs) for 34.64.0.0/10.
N.B. this is a rather large IP range, covering 34.64.0.0 - 34.127.255.255. These are all GCP IP addresses, but Blizzard does not control what’s on the vast majority of this IP space. I determined this to be an acceptable risk. Most of the subnets are part of AS15169 (GOOGL-2 / Google LLC), but some are in AS139070 (GOOGLE-CLOUD / Google Asia Pacific Pte. Ltd.). There are also many other networks in AS15169, but until I see any Blizzard traffic from them, I’m opting not to add them.
References
https://bgpview.io/asn/57976
https://bgpview.io/prefix/34.64.0.0/10