Screen Freeze kinda

Support Technical Support
3

Ok well I’m really glad it’s not a hardware issue, but a connection issue might suck even more… as most of that is out of my control.

I am using a wired connection, and I did reset both the router and the modem. I updated the firmware of the router, and had my isp also update the firmware of the modem.

This unfortunately did not resolve the problem. To add to the mystery… when I log back into the game, after closing it via task manager, the load screen will take much longer than normal. I can then load any other character I have, but if I load the one who I was playing at the time of the problem I will get a “world server” error message. And when I do get into the game I am almost always teleported back to where my hearth stone is set.

I got a copy of that winMTR thing but I keep getting a “can’t post links” message here.

4

Use Pastebin and provide just the end of the link.

5 
|------------------------------------------------------------------------------------------|
|                                      WinMTR statistics                                   |
|                       Host              -   %  | Sent | Recv | Best | Avrg | Wrst | Last |
|------------------------------------------------|------|------|------|------|------|------|
|                                    ubnt -    0 | 2035 | 2035 |    0 |    0 |   12 |    0 |
|           97-64-253-97.client.mchsi.com -    0 | 2035 | 2035 |    0 |    0 |    8 |    0 |
|                             10.152.65.1 -    0 | 2035 | 2035 |    4 |    9 |   50 |    9 |
|                            172.30.18.21 -    0 | 2035 | 2035 |   13 |   21 |   66 |   25 |
|            68-66-73-22.client.mchsi.com -    0 | 2035 | 2035 |   33 |   37 |   66 |   42 |
|              po13.chgil001cr1.mchsi.com -    0 | 2035 | 2035 |   33 |   37 |   66 |   39 |
|              po10.chgil001er1.mchsi.com -    0 | 2035 | 2035 |   33 |   37 |  110 |   34 |
|                          137.221.66.164 -    0 | 2035 | 2035 |   32 |   41 |  123 |   36 |
|                   No response from host -  100 |  407 |    0 |    0 |    0 |    0 |    0 |
|         et-0-0-0-pe01-eqch2.as57976.net -    0 | 2035 | 2035 |   33 |   39 |  169 |   37 |
|                           24.105.62.129 -    0 | 2035 | 2035 |   30 |   36 |   77 |   35 |
|________________________________________________|______|______|______|______|______|______|
   WinMTR v0.92 GPL V2 by Appnor MSP - Fully Managed Hosting & Cloud Provider
6

Hey again,

The WinMTR results look good, so no indication of where exactly the partial disconnect is occurring.

Something you could potentially try would be to enable QoS (Quality of Service) in your router’s settings, if your router supports QoS. That can sometimes help with connection issues like this.

Or if you can try connecting through a different connection, such as a hotspot or VPN, that would help identify if it’s an issue happening along the route somewhere between you and the server.

7

Ok I have been using a VPN with my endpoint in chicago, because apparently my server is located in chicago, and I have not had a problem since.

I assume this indicates that the problem is in the route. Any clue on how I can identify where the problem lies? wan/lan? if it’s lan side obviously it’s something I can change, and if it’s not then I need my ISP to change something somewheres, and they might because we have a business account and they seam to really support business customers more than the residential side.

8

Hey Knoest,

I’m having the same problem, as described by myself and others here: Combat and character actions lag-frozen, running on spot, while ingame chat still working

I notice that you are also on UBNT hardware. Just wonedering if that is a coincidence. What UBNT gear do you have?

9

I have a USG and antennas but this computer is actually connected to a 48port HP switch via fiber so the only thing in the route is that USG

10

I’m on a USG Pro 4 and all USG wired switches. Considering that your (presumably commercial endpoint) VPN Solution fixed it, do you have deep packet inspection enabled?

11

We have quite a few open services so yes we do have DPI enabled, and IPS.

12

I am also running both of the same options. Thats too coincidental. I think i’ll try disabling DPI as a test.

13

It looks like UBNT might be identifying certain traffic coming from blizz as malicious.

Trojan A Network Trojan was Detected High United Kingdom 137.221.103.31 : 3724 INTERNALIP : 64721 12/17/2020 09:14:43 PM
Trojan A Network Trojan was Detected High United Kingdom 137.221.96.37 : 3724 INTERNALIP : 49815 12/17/2020 10:13:48 PM
Trojan A Network Trojan was Detected High United Kingdom 137.221.99.152 : 3724 INTERNALIP : 49217 12/19/2020 01:07:19 PM
14

I wonder if whitelisting the server would work then.

15

It looks like they own 137.221.96.0/22. I’d like to get a blue’s confirmation before I WL it. I also can’t help but wonder what they are sending that is tripping trojan traffic signatures. I’d like to wireshark it, but the error is so rare, from a packet perspective that I don’t think i’d ever capture it.

16

I’m going to dig through my threat log and see if I can find something similar from my server.

I’m having a little issue accessing my alerts… might need to restart my controller vm or something.

17

It looks like it isn’t just me.

https://community.ui.com/questions/Threat-Management-Alert-1-A-Network-Trojan-was-Detected-Signature-ET-TROJAN-Netwire-RAT-Check-in/80ea2e34-d5a9-487a-98ed-19be7c9cd7ea

18

This just happened again and correlated to the second with an IPS malicious traffic signature.

24.105.33.197 : 3724 INTERNALIP : 61887 12/20/2020 10:16:49 PM

Concerningly, this time a different network range in a different part of the world. Unless blizzard decides to take action, we are going to be left with the choice of disabling IPS or suppressing these IP by IP.

19

I have been attempting to catch it but have not seen the issue yet tonight. As in I have not dc’d yet tonight… still trying to catch it. Hopefully we can both confirm it.

20

Knoest is probably tired of getting update notices for this thread, but I wanted to add a comment just incase we get a blue reading this.

While I can only be certain that this is happening on Ubiquity hardware, it is reasonable to infer that this will be happening on any high end home networking equipment and virtually all corporate equipment that support DPI and IPS signature detection. In short, this may be impacting a large number of users.

1 Like
21

ive seen DPI screw up perfectly clean SMTP traffic because it thought an image in the footer (that had been in there for over a year) was now malicious due to signature matching - giant pain in the you know where because the rule was set to silently drop (which is ultra stupid in a commercial environment)

can you report the false positive to the vendor?

22

It was reported in the ubiquity thread I linked. In looking into it further it seems to me that blizz might be initiating a connection remotely to ‘push’ certain data, triggered from your active connection. If I’m not mistaken, that is bad practice and not too shocking it matches a malicious signature – just like any RAT or reverse shell. I’m not too sure what Ubiquity or other vendors could do other than exclude the wow protocol. It also seems like blizz is aware of the problem, but is blaming firewalls generally ("transfer aborted: instance not found” in Shadowlands - #4 by Illìdàn-barthilas)