Skynet Skynet keeps failing to start

[jorgsmash]

Skynet is working!! Thank you guys for helping me diagnose! With your updated list @SomeWhereOverTheRainBow , I see a couple outbound IP blocks. Investigating one, it appears to be a Netflix IP, but also has a 100% fraud score. Very curious? Wonder how a netflix-owned IP has such a bad reputation for being malicious. I'd understand if it was an ad-serving IP on an ad-blocking list, but this is showing up as proxy/vpn/tor/abuse/bot activity.

 

[Viktor Jaep]

Skynet is working!! Thank you guys for helping me diagnose! With your updated list @SomeWhereOverTheRainBow , I see a couple outbound IP blocks. Investigating one, it appears to be a Netflix IP, but also has a 100% fraud score. Very curious? Wonder how a netflix-owned IP has such a bad reputation for being malicious. I'd understand if it was an ad-serving IP on an ad-blocking list, but this is showing up as proxy/vpn/tor/abuse/bot activity.

View attachment 50015


View attachment 50014

Absolutely... so I can tell you the reason for your RAM consumption... Adguardhome is notorious for gobbling up as much as it possibly can because it's just a very RAM-intensive application. And our routers don't have much capacity. But nothing to worry about, because this all looks normal.

That netflix hit is probably just a false positive. If it prohibits your ability to watch netflix, I'd just add these IPs to your whitelist...

 

[jorgsmash]

Absolutely... so I can tell you the reason for your RAM consumption... Adguardhome is notorious for gobbling up as much as it possibly can because it's just a very RAM-intensive application. And our routers don't have much capacity. But nothing to worry about, because this all looks normal.

That netflix hit is probably just a false positive. If it prohibits your ability to watch netflix, I'd just add these IPs to your whitelist...

Yeah once I ran top I could tell it was probably AdGuard. Isn't there a way to limit its RAM usage? I need a router with 2-4 GB RAM lol

 

[L&LD]

I've been asking for Asus routers with more than 1 or 2 GB of RAM for a decade.

Coming soon...

 

[Viktor Jaep]

Yeah once I ran top I could tell it was probably AdGuard. Isn't there a way to limit its RAM usage? I need a router with 2-4 GB RAM lol

With a soldering gun, anything is possible.

 

[jorgsmash]

With a soldering gun, anything is possible.

Lol yeah right.

 

[SomeWhereOverTheRainBow]

Here it is in all its glory

View attachment 50012

View attachment 50017


View attachment 50013

For starters, I can already tell you adguardhome is utilizing most of your memory, followed by unbound. Without those two scripts, your router would probably teader around 72 to 79% memory usage. But remember, what is the point in having memory that never is used. If it is not causing your router to crash and you are making adequate use of your swap when necessary, you should be fine.

 

[SomeWhereOverTheRainBow]

Skynet is working!! Thank you guys for helping me diagnose! With your updated list @SomeWhereOverTheRainBow , I see a couple outbound IP blocks. Investigating one, it appears to be a Netflix IP, but also has a 100% fraud score. Very curious? Wonder how a netflix-owned IP has such a bad reputation for being malicious. I'd understand if it was an ad-serving IP on an ad-blocking list, but this is showing up as proxy/vpn/tor/abuse/bot activity.

View attachment 50015


View attachment 50014

You will find that there are alot of overlap between domain blocklists and IP blocklists particularly when it concerns bots, abuse, trackers. In general, if it poses a privacy concern, there is a possibility the IP will wind up in one of the commonly sourced IP blocklists. This is particularly true when you consider to whom it may present a privacy concern... This could have easily wound up on a blocklist by users who are accessing netflix from a different geographical region trying to escape their own geographical restrictions. Maybe these "bots" are gathering information that individuals would not otherwise want to be sent back to netflix. Who knows, I am no expert on this matter. I am just as skeptical as you are when something like this shows up in a blocklist, but if it does not break my usage, I assume it is for the better good to be blocked.

 

[SomeWhereOverTheRainBow]

@jorgsmash if you find you must whitelist anything for netflix,

this page has a good source of information

https://www.netify.ai/resources/applications/netflix.

or you could consider using my highly turncated whitelist.

https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/allowv4.feed

@Adamm just published the new v7.4.0,
I recommend updating to that version first as it fixes an issue with the subnet blocks.
Here is how to import the whitelist.
firewall import whitelist https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/allowv4.feed AllowList

 

[jorgsmash]

@jorgsmash if you find you must whitelist anything for netflix,

this page has a good source of information

https://www.netify.ai/resources/applications/netflix.

or you could consider using my highly turncated whitelist.

https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/allowv4.feed

@Adamm just published the new v7.4.0,
I recommend updating to that version first as it fixes an issue with the subnet blocks.
Here is how to import the whitelist.
firewall import whitelist https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/allowv4.feed AllowList

Updating now! I'll definitely use your whitelist, as I hate when trying to access something and realizing it's being blocked when it shouldn't be! It's usually the last thing on my mind so it can take a while to diagnose/fix! Thanks so much for the help on this and for providing the links and commands! If you're bored, go check out my latest post about problems with YazFi lol.

 

[jorgsmash]

How many IPs are in your whitelist? How are you sourcing all of these? Are there checks to make sure IPs aren't on both black/white lists? Does one take precedence over the other in the event they are on both?

 

[SomeWhereOverTheRainBow]

How many IPs are in your whitelist? How are you sourcing all of these? Are there checks to make sure IPs aren't on both black/white lists? Does one take precedence over the other in the event they are on both?

That is alot of questions, but the list of ips is generated from a known list of false positives. No there is no pre removal from the block list since it covers ranges more than single ip addresses, however it does take precedent over entries in skynet blacklist if loaded as apart of skynet whitelist.

 

[jorgsmash]

That is alot of questions, but the list of ips is generated from a known list of false positives. No there is no pre removal from the block list since it covers ranges more than single ip addresses, however it does take precedent over entries in skynet blacklist if loaded as apart of skynet whitelist.

Just FYI, couldn't get to virustotal.com after implementing your blacklist and whitelist. Checking the firewall logs I was able to find the IP, 74.125.34.46, and whitelist it. Was able to get to it after that.

Thanks!

 

[SomeWhereOverTheRainBow]

Just FYI, couldn't get to virustotal.com after implementing your blacklist and whitelist. Checking the firewall logs I was able to find the IP, 74.125.34.46, and whitelist it. Was able to get to it after that.

Thanks!

Yep, Probably on one of the lists used in the compiling. Obviously, the IPS are just a compilation of other users IP blocklists that have been condensed for ease of usage in Skynet. You may have to whitelist occasionally.

 

[jorgsmash]

Yep, Probably on one of the lists used in the compiling. Obviously, the IPS are just a compilation of other users IP blocklists that have been condensed for ease of usage in Skynet. You may have to whitelist occasionally.

Just tried to hop on a Teams call for work and Teams wouldn't load. I haven't had an issue the past week, just today. I hopped into the Skynet logs and found my work computer trying to reach out to 52.113.194.132, which was being blocked. That's a Microsoft IP. So I had to whitelist it. Would you mind telling me how I can revert back to the stock blocklist, or point me to a less aggressive, yet still better than stock blocklist?

I work from home so diagnosing these issues can impact my ability to work.

Thanks!

 

[SomeWhereOverTheRainBow]

Just tried to hop on a Teams call for work and Teams wouldn't load. I haven't had an issue the past week, just today. I hopped into the Skynet logs and found my work computer trying to reach out to 52.113.194.132, which was being blocked. That's a Microsoft IP. So I had to whitelist it. Would you mind telling me how I can revert back to the stock blocklist, or point me to a less aggressive, yet still better than stock blocklist?

I work from home so diagnosing these issues can impact my ability to work.

Thanks!

I don't think it is a problem with the blocklist. It is an issue with the cdn whitelisting not always downloading properly for Microsoft endpoints. It doesn't matter what list you use since the cdn whitelisting is not 100percent working properly. I open a pull request for @Adamm which should solve the issue.

 

[dave14305]

how I can revert back to the stock blocklist

firewall banmalware reset

 

[SomeWhereOverTheRainBow]

firewall banmalware reset

That is the default method to switch back to the default lists, though I suspect if the cdn whitelists are not fully downloading 100 percent, then it won't really matter much because apparently these entries may be present in the default lists as well. The curl on the Microsoft endpoints cdn does not always return an output, and sometimes causes whitelisting to hang indefinitely as experienced by other users in this thread.

 

[SomeWhereOverTheRainBow]

@jorgsmash another important factor to consider is users who use diversion along side skynet need to consider what domains they block as a source for potential false positives as well.

 

[SomeWhereOverTheRainBow]

@jorgsmash

Here is my investigative work....

If your CDN whitelisting had properly loaded in from skynet, you would not have had to whitelist the teams IP address.

{ printf "AS714\nAS12222\nAS16625\nAS33438\nAS20446\nAS54113\nAS36459" | xargs -I {} sh -c 'curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://asn.ipinfo.app/api/text/list/{} | awk -v asn={} '\''/^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: %s\"\n", $1, asn }'\'''
curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://www.cloudflare.com/ips-v4 | awk '/^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: CloudFlare\"\n", $1 }'
curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://ip-ranges.amazonaws.com/ip-ranges.json | awk 'BEGIN{RS="(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)"}{if(RT)printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: Amazon\"\n", RT }'
curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://api.github.com/meta | awk 'BEGIN{RS="(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)"}{if(RT)printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: Github\"\n", RT }'
curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://endpoints.office.com/endpoints/worldwide?clientrequestid="$(awk '{printf "%s", $1}' /proc/sys/kernel/random/uuid)" | awk 'BEGIN{RS="(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)"}{if(RT)printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: Microsoft365\"\n", RT }'; wait; } 2>/dev/null | awk '!x[$0]++' | grep -E '.*[[:space:]]52.*CDN-Whitelist:.*Microsoft365.*'
add Skynet-Whitelist 52.96.0.0/14 comment "CDN-Whitelist: Microsoft365"
add Skynet-Whitelist 52.100.0.0/14 comment "CDN-Whitelist: Microsoft365"
add Skynet-Whitelist 52.238.78.88/32 comment "CDN-Whitelist: Microsoft365"
add Skynet-Whitelist 52.112.0.0/14 comment "CDN-Whitelist: Microsoft365"
add Skynet-Whitelist 52.122.0.0/15 comment "CDN-Whitelist: Microsoft365"
add Skynet-Whitelist 52.238.119.141/32 comment "CDN-Whitelist: Microsoft365"
add Skynet-Whitelist 52.244.160.207/32 comment "CDN-Whitelist: Microsoft365"
add Skynet-Whitelist 52.104.0.0/14 comment "CDN-Whitelist: Microsoft365"
add Skynet-Whitelist 52.108.0.0/14 comment "CDN-Whitelist: Microsoft365"
add Skynet-Whitelist 52.244.37.168/32 comment "CDN-Whitelist: Microsoft365"

add Skynet-Whitelist 52.112.0.0/14 comment "CDN-Whitelist: Microsoft365"
would have covered the 52.113.194.132 IP.

I am using the version of skynet I have submitted a pull request for the CDN whitelisting issue.

Here is my ping test from a client on my network.

ping 52.113.194.132
PING 52.113.194.132 (52.113.194.132): 56 data bytes
64 bytes from 52.113.194.132: seq=0 ttl=118 time=22.885 ms
64 bytes from 52.113.194.132: seq=1 ttl=118 time=22.747 ms
64 bytes from 52.113.194.132: seq=2 ttl=118 time=23.672 ms
64 bytes from 52.113.194.132: seq=3 ttl=118 time=22.091 ms
64 bytes from 52.113.194.132: seq=4 ttl=118 time=19.494 ms
64 bytes from 52.113.194.132: seq=5 ttl=118 time=22.420 ms
64 bytes from 52.113.194.132: seq=6 ttl=118 time=23.725 ms
64 bytes from 52.113.194.132: seq=7 ttl=118 time=19.866 ms
64 bytes from 52.113.194.132: seq=8 ttl=118 time=22.166 ms
^C
--- 52.113.194.132 ping statistics ---
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 19.494/22.118/23.725 ms

And here are the entries present from my patched skynet.

RT-AX88U_Pro-29B8:/tmp/home/root# ipset list | grep -E '^52.*CDN-Whitelist:.*Microsoft365.*'
52.244.160.207 comment "CDN-Whitelist: Microsoft365"
52.100.0.0/14 comment "CDN-Whitelist: Microsoft365"
52.108.0.0/14 comment "CDN-Whitelist: Microsoft365"
52.238.119.141 comment "CDN-Whitelist: Microsoft365"
52.122.0.0/15 comment "CDN-Whitelist: Microsoft365"
52.96.0.0/14 comment "CDN-Whitelist: Microsoft365"
52.244.37.168 comment "CDN-Whitelist: Microsoft365"
52.104.0.0/14 comment "CDN-Whitelist: Microsoft365"
52.238.78.88 comment "CDN-Whitelist: Microsoft365"
52.112.0.0/14 comment "CDN-Whitelist: Microsoft365"

This is the pull request I have open

V7.4.1 by jumpsmm7 · Pull Request #124 · Adamm00/IPSet_ASUS

Improve curl hangs by defining the maximum amount of time allowed per try. This change came about because curl to some servers during whitelist processing caused an indefinite hang due a connection...

github.com

As you can tell, I discovered this issue three days ago by coincidence. I noticed the amount of CDN-Whitelisting entries would greatly vary in number between list processing done by skynet. It took a little investigative work, but it turns out that a couple of the curl commands would hang indefinitely producing no output, until the connection closed resulting in numerous missing CDN whitelist entries (the Microsoft365 list was the main culprit). This is when I made the connection to whitelist processing hangs reported to @thelonelycoder during diversion/skynet shared lists processing.