jiminlogansquare Posted September 25 Share Posted September 25 For a long time now, my Netgear Armor monitoring and protection service has been sending me, sometimes multiple times in a day, notifications of attempted unauthorized connections to my network via one of my audio devices (see a recent example below). To date, I have simply accepted the assurance of Netgear Armor that the attempted connections were blocked, and I also have seen no evidence of malfeasance on my other networked computers. But ... Does anyone have insight into the potential source, nature, purpose, and level of concern associated with these (blocked) intrusions? Should I be concerned? Link to comment
Miska Posted September 25 Share Posted September 25 IP seems to be in Hong Kong. Depending on type of your Firewall/NAT, could be a simple scan attempt to traverse a simple NAT to see if anything accessible is behind. It is typical to see some thousands of various attempts per hour on a firewall these days. Could be also related to some normal functionality in the device, depending on what services you have running on your sonicTransporter. I have a server in Hong Kong too, but the connections are never inbound. jiminlogansquare 1 Signalyst - Developer of HQPlayer Pulse & Fidelity - Software Defined Amplifiers Link to comment
The Computer Audiophile Posted September 25 Share Posted September 25 Looks like France to me. Qobuz? Founder of Audiophile Style | My Audio Systems Link to comment
The Computer Audiophile Posted September 25 Share Posted September 25 Some info on AbuseIP https://www.abuseipdb.com/check/91.238.181.35 Founder of Audiophile Style | My Audio Systems Link to comment
The Computer Audiophile Posted September 25 Share Posted September 25 @agillis any idea? Founder of Audiophile Style | My Audio Systems Link to comment
jiminlogansquare Posted September 25 Author Share Posted September 25 Thanks. I get hundreds of these from different IP addresses. A typical pattern is that an address will try to access the network three or four times over a period of hours, then stop and not come back. But I haven't kept records. Netgear messages to me essentially have resulted in my having a lengthy a log of past hits, if anyone is interested in taking a look. (FYI, I got a few similar hits on another networked device, my dog's television, but I assume all anybody got from that was noting that my dog really likes NCAA volleyball and Olympic gymnastics.) Link to comment
The Computer Audiophile Posted September 25 Share Posted September 25 1 minute ago, jiminlogansquare said: Thanks. I get hundreds of these from different IP addresses. A typical pattern is that an address will try to access the network three or four times over a period of hours, then stop and not come back. But I haven't kept records. Netgear does have a log of oast hits, if snyone is interested in taking a look. Do you have TailScale installed on your sonicTransporter? Founder of Audiophile Style | My Audio Systems Link to comment
jiminlogansquare Posted September 25 Author Share Posted September 25 1 minute ago, The Computer Audiophile said: Do you have TailScale installed on your sonicTransporter? Nope; see below Link to comment
jiminlogansquare Posted September 25 Author Share Posted September 25 25 minutes ago, Miska said: IP seems to be in Hong Kong. Depending on type of your Firewall/NAT, could be a simple scan attempt to traverse a simple NAT to see if anything accessible is behind. It is typical to see some thousands of various attempts per hour on a firewall these days. Could be also related to some normal functionality in the device, depending on what services you have running on your sonicTransporter. I have a server in Hong Kong too, but the connections are never inbound. @Miska, FWIW, one of the services running on my SonicTransporter is HQPlayer. Link to comment
Popular Post Miska Posted September 26 Popular Post Share Posted September 26 29 minutes ago, jiminlogansquare said: @Miska, FWIW, one of the services running on my SonicTransporter is HQPlayer. That IP is not mine though. And I'm not doing any inbound connections in general. Could be related to Roon, if you have ARC or similar active. Since point of Roon ARC is to provide inbound connections. jabbr and jiminlogansquare 2 Signalyst - Developer of HQPlayer Pulse & Fidelity - Software Defined Amplifiers Link to comment
Miska Posted September 26 Share Posted September 26 43 minutes ago, The Computer Audiophile said: Looks like France to me. Qobuz? At least not according to whois data: % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.ripe.net inetnum: 91.0.0.0 - 91.255.255.255 organisation: RIPE NCC status: ALLOCATED whois: whois.ripe.net changed: 2005-06 source: IANA # whois.ripe.net inetnum: 91.238.181.0 - 91.238.181.255 netname: ONEHOST-NET org: ORG-BL352-RIPE descr: VDS&VPN services country: MQ admin-c: OHNO1-RIPE tech-c: OHNO1-RIPE status: ASSIGNED PA mnt-by: oneibchosting-mnt created: 2023-03-22T15:42:17Z last-modified: 2023-03-22T15:42:41Z source: RIPE organisation: ORG-BL352-RIPE org-name: ThinkTech Technology Industrial CO. Limited org-type: OTHER address: International Business Center address: Suite 811 Tsimshatsui Centre, East Wing, 66 Mody Road,, Tsimshatsui East, Kowloon, address: Hong Kong mnt-ref: lir-de-l7networks-gmbh-1-MNT admin-c: OHNO1-RIPE tech-c: OHNO1-RIPE abuse-c: ACRO20486-RIPE mnt-ref: oneibchosting-mnt mnt-by: oneibchosting-mnt created: 2018-11-22T09:53:57Z last-modified: 2022-07-08T07:30:43Z source: RIPE # Filtered role: One Host Network Operation Centre address: Suite 819 Tsimshatsui Centre, East Wing, 66 Mody Road,, Tsimshatsui East, Kowloon, address: Hong Kong admin-c: DC19574-RIPE tech-c: DC19574-RIPE abuse-mailbox: [email protected] nic-hdl: OHNO1-RIPE mnt-by: oneibchosting-mnt created: 2018-11-22T10:10:27Z last-modified: 2018-11-22T21:38:15Z source: RIPE # Filtered % Information related to '91.238.181.0/24AS49434' route: 91.238.181.0/24 descr: For all network issues please contact: [email protected] origin: AS49434 mnt-by: oneibchosting-mnt created: 2023-03-09T15:35:45Z last-modified: 2023-04-13T05:16:42Z source: RIPE % This query was served by the RIPE Database Query Service version 1.114 (BUSA) Signalyst - Developer of HQPlayer Pulse & Fidelity - Software Defined Amplifiers Link to comment
jiminlogansquare Posted September 26 Author Share Posted September 26 15 minutes ago, Miska said: That IP is not mine though. And I'm not doing any inbound connections in general. Could be related to Roon, if you have ARC or similar active. I don't actually use ARC, so will remove the app from my phone and see what happens. Link to comment
agillis Posted September 26 Share Posted September 26 Yes it does look like something is attaching your sonicTransporter. Probably a compromised machine at that IP address. I also get 100s of attacks on my network here every day. This is why we have good firewalls! jiminlogansquare 1 agillis Small Green Computer http://www.smallgreencomputer.com/ Link to comment
jiminlogansquare Posted September 26 Author Share Posted September 26 3 hours ago, agillis said: Yes it does look like something is attaching your sonicTransporter. Probably a compromised machine at that IP address. I also get 100s of attacks on my network here every day. This is why we have good firewalls! Thanks, and you said it re: firewalls! FYI, below is how my firewall characterizes the "miscellaneous vulnerability" on my sonicTransporter that it is blocking from attacks. Also, since I removed ARC from all my devices yesterday, I have seen no attacks reported. Fingers crossed; I haven't gone over 24 hours in the past six months without at least one documented attack. Will report back my observations. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now