ARC port getting smacked about

Well I guess its inevitable but Unifi is reporting the arc port as being probed daily from all around the world, it might be innocent idk. Hong Kong, Russia, Nikaragua. I know this is the reality of it, but still other open ports I have are not getting this attention.

I don’t suppose changing the port well away from the default will have any effect but all in all I just don’t trust it so am switching it off for now. I realise this is foolish, but still not enough benefit for perceived risk because until ARK I had no security detections on my system, YMMV.

Port 55000 is a known port used by malware. That might explain it getting probed often.

…and refused connection, so what’s the issue? Moreover, you can change the port to another high number.

1 Like

I explained my rationale was poor. No need to be defensive, I know how it works. The fact is I have three ports open, plex, minecraft for the kids and Arc. its only arc getting probed.

I’ll change the port and see what that does.

Change your port. New software will always get hit. As another poster pointed out, 55000 is already a target.

However, your not being foolish or paranoid. If it’s open it will get probed and if an exploit exists it will be exploited.

Not refused. ARC Service will allow for a connection. That’s how the service works.

Maybe there’s just a mixup in terminology. It will pass through the router via port forwarding to the Roon Core but - vulnerabilities aside with the actual roon service on that port - will presumably be rejected by that service if it’s not properly authenticated.

Yes, terminology is probably getting us here but, sorry for being a bit pedantic in my response…

With the way ARC works there is, basically, a web server which listens for incoming connections. When port forwarding is enabled then it is listening for a connection from anywhere (unless the user has done something to limit the inbound scope). This connection, called a TCP socket, will establish which allows the “client” to fire requests or garbage at the ARC server.

Now, these rouge requests or garbage is how services get exploited. You don’t need to be authenticated to send “garbage”. And, if ARC service is vulnerable, then it’s this garbage that gives way to access and an exploit.

Your normal “script kiddy” will be shutdown pretty quickly as the service won’t normally do anything before authentication which is great. But never 100% means there isn’t an exploit waiting to be found.

Using the right terminology helps to describe more accurately what is going on. I’m all for it.

This should be a sticky :slight_smile:

My intention isn’t to scare people away from using ARC. I know Roon Labs spent a lot of time looking and testing this. I’m not expecting a vulnerability. If this became some rallying cry to turn off ARC I’d be very upset with myself :slight_smile:

But… some people like to know details so glad you found value in it and understood my intention for writing it.

Full disclosure: I don’t open the port. I have a VPN into my network which then gives me access to ARC. The VPN technology and software I use has millions of users. It’s the type of thing where, if a vulnerability was to be exploited, it’d make the news. This means the team behind preventing that is significantly well resourced.


That is very interesting.

Would you be willing to explain how you have set this up?

Aidan Gaule

Overly complicated but in summary. My VPN termination is a virtual interface on a router that sits at the edge of my network. After authentication, the VPN allocates me an address within the network range of that interface. At that point, my device looks like any other connected device to that router. I can route / firewall traffic to any private area within the network as well as allow / deny access to any Internet egress on my network. I can modify these policies per login if needed. Again, overly complicated.

Here’s a much easier way:

Search Tailscale on the community. Lots of good success using this kind of VPN.

Let’s remember that this is a forum for music enthusiasts, not networking professionals.

Yes, a connection can be negotiated, as with any service, but ultimately, it will be refused (rejected, fail…) if authentication is unsuccessful. And of course, any service behind an open port is open to network scans, exploits, brute force etc., but this why some choose to trust others to handle these things…


Thanks very much