Skynet Outbound blocks

[BeachGuy]

I have 47 outbound blocks from my router (Skynet reports my router's WAN IP) to IP 91.212.166.118. When I click on the link in Skynet it brings me to AlienVault and says Great Britain and Northern Ireland. When I click on "whois" it says Russia. I'm not sure how to interpret the data on those websites but am concerned the router is sending anything out that's blocked. Where/why would the router be sending this from? I use unbound, diversion and skynet. What should I do?

P.S.
I do have the TOR browser and have used that a couple of times today. Could that be it?



firewall stats search ip 91.212.166.118
#############################################################################################################
# #
# ███████╗██╗ ██╗██╗ ██╗███╗ ██╗███████╗████████╗ ██╗ ██╗███████╗ #
# ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗ ██║██╔════╝╚══██╔══╝ ██║ ██║╚════██║ #
# ███████╗█████╔╝ ╚████╔╝ ██╔██╗ ██║█████╗ ██║ ██║ ██║ ██╔╝ #
# ╚════██║██╔═██╗ ╚██╔╝ ██║╚██╗██║██╔══╝ ██║ ╚██╗ ██╔╝ ██╔╝ #
# ███████║██║ ██╗ ██║ ██║ ╚████║███████╗ ██║ ╚████╔╝ ██║ #
# ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═══╝╚══════╝ ╚═╝ ╚═══╝ ╚═╝ #
# #
# Router Firewall And Security Enhancements #
# By Adamm - https://github.com/Adamm00/IPSet_ASUS #
# 02/07/2024 - v7.6.1 #
#############################################################################################################


=============================================================================================================


Logging Data Detected in /tmp/mnt/ROUTER/skynet/skynet.log - 4.5M
Monitoring From Jul 18 21:00:09 To Jul 20 04:48:58
16496 Block Events Detected
2970 Unique IPs
0 Manual Bans Issued

91.212.166.118 is NOT in set Skynet-Whitelist.
91.212.166.118 is NOT in set Skynet-Blacklist.
Warning: 91.212.166.118 is in set Skynet-BlockedRanges.

BlockedRanges Reason;
91.212.166.0/24 "BanMalware: et_block.netset"

IP Location - Russia (Proton66 OOO / AS198953)

91.212.166.118 First Tracked On Jul 19 13:30:00
91.212.166.118 Last Tracked On Jul 19 13:30:01
47 Blocks Total

Event Log Entries From 91.212.166.118;

First Block Tracked From 91.212.166.118;
Jul 19 13:30:00 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=24500 PROTO=UDP SPT=34994 DPT=53 LEN=54

10 Most Recent Blocks From 91.212.166.118;
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24858 PROTO=UDP SPT=41049 DPT=53 LEN=58
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24864 PROTO=UDP SPT=60967 DPT=53 LEN=58
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24876 PROTO=UDP SPT=37636 DPT=53 LEN=58
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24883 PROTO=UDP SPT=20023 DPT=53 LEN=58
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24892 PROTO=UDP SPT=36667 DPT=53 LEN=58
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24899 PROTO=UDP SPT=12063 DPT=53 LEN=58
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24902 PROTO=UDP SPT=30030 DPT=53 LEN=58
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24913 PROTO=UDP SPT=52516 DPT=53 LEN=58
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24919 PROTO=UDP SPT=45708 DPT=53 LEN=58
Jul 19 13:30:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=WAN IP DST=91.212.166.118 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=24931 PROTO=UDP SPT=22682 DPT=53 LEN=58


Top 10 Targeted Ports From 91.212.166.118 (Inbound);


-------- | -------- | --------------
| Hits | | | Port | | | SpeedGuide |
-------- | -------- | --------------

--*

Top 10 Sourced Ports From 91.212.166.118 (Inbound);


-------- | -------- | --------------
| Hits | | | Port | | | SpeedGuide |
-------- | -------- | --------------

*--


=============================================================================================================


[#] 33459 IPs (+0) -- 2848 Ranges Banned (+0) || 16450 Inbound -- 47 Outbound Connections Blocked! [stats] [17s]

 

[BeachGuy]

I just ran TOR browser again and the number of outbound blocks didn't change leading me to believe it's not the TOR browser.

 

[BeachGuy]

Added country codes and now have 574 outbound blocks. When I look at top 10 devices, it shows coming from router (used as DNS as well via unbound). Is there a way to determine which of my connected devices is pinging these countries or is this just "normal" and Skynet is doing its job? Has me freaking out a little as I never saw this until I added country block. I have Hisense, TCL and Roku devices/TVs, as well as Samsung phones and Apple iPads.


[td]Last 10 Unique Connections Blocked (Outbound) (click to expand/collapse)[/td]

​

36.110.107.41	*	View Details	China	*
1.203.163.77	*	View Details	China	*
185.126.112.98	Country: ru cn kp ir ng vn br in pk ua by tr	View Details	Ukraine	*
89.40.214.141	Country: ru cn kp ir ng vn br in pk ua by tr	View Details	Romania	*
40.73.198.7	*	View Details	China	*
40.73.192.7	*	View Details	China	*
40.73.194.7	*	View Details	China	*
40.73.196.7	*	View Details	China	*
203.119.28.1	*	View Details	China	*
202.112.0.44	Country: ru cn kp ir ng vn br in pk ua by tr	View Details	China	*

​

 

[ColinTaylor]

Some of those are NTP servers. Other are Microsoft Azure in China. Didn't check all of them.

 

[BeachGuy]

Ok thanks Colin. So no worries? Should I remove blocks and allow?

I removed blocks as it seems to be blocking some Google stuff I use.

 

[ColinTaylor]

I can't tell you whether you should be worried or not. I know nothing about how you have your network set up, what devices you own or even what country you're in. You'll have to use your own judgement based on your particular situation.

 

[BeachGuy]

USA. I mentioned devices above. Network setup is in my signature.

 

[ColinTaylor]

Sorry, I can't begin to guess what's happening on your network. If I were you I'd either do some packet capture or systematically turn devices off (e.g. the Hisense TV) and see what traffic stops.

 

[BeachGuy]

ok thanks anyway. I guess I was hoping somebody could opine on the specific IPs in my post. Tech9 had mentioned in another post to be careful blocking countries as NTP servers and others could be hosted there. I've unblocked countries now anyway as it seems to be blocking services my devices use. I sure would like to block bad actor countries though but it seems it's not as easy as that.

 

[dave14305]

The Skynet logs will tell you what is being blocked from which device.

 

[BeachGuy]

The Skynet logs will tell you what is being blocked from which device.

Thanks, do you have a specific command/syntax. I grepped "OUTBOUND" and it just shows my public IP (router) as I use unbound as my DNS. There are no specific devices.

 

[dave14305]

Thanks, do you have a specific command/syntax. I grepped "OUTBOUND" and it just shows my public IP (router) as I use unbound as my DNS. There are no specific devices.

Then it’s unbound being blocked if the destination port is 53.

 

[BeachGuy]

Unbound does random port now (used to be port 53). But yes it's resolving DNS for my devices apparently to some of these countries (China).