Internet threat detection on ROCK since Roon ARC

Hello,

In order to understand, please find below some info about my Roon implementation.

Roon Core Machine

Roon Rock based on Intel NUC8i5BEK2 with 250Go SSD for database
OS : Version 1.0 (build 254) production
ROCK version : Version 2.0 (build 1182) production
Roon ARC activated
Music library via SMB on SSD TrueNAS with 10Gbps interface

Networking Gear & Setup Details

Ubiquiti Unifi Network & WIFI

• UDM Pro as router/firewall (provider modem in bridge mode)
• 10 Gbps SFP+ Aggregation switch
• Main 1Gbps PoE 48 port switch

Connected Audio Devices

Main room : NAD M27 (wired)
Apple Macbook’s / Mac mini with USB DAC (wired)
Airplay domotics : Loxone (wired)
Sonos devices : One/OneSL (wifi)

Number of Tracks in Library

14 000 tracks

Description of Issue

Hello,

Since I activated Roon ARC (05 nov 2022) based on V2.0, my firewall detected 89 intrusions pointed to my Roon Core server. I wonder if these access are legitimate onces from Roon cloud services (and so I can allow it) or if these are portscanning bots that try to access It. If this is the case, I am a bit more worried about how these bots could find listing of Roon Core home servers with ARC.

Capture d’écran 2022-12-28 à 10.23.351920×1994 244 KB

Capture d’écran 2022-12-28 à 10.24.131920×1880 224 KB

Please find here below a listing of detected IP’s (only a part of it) :

46.17.96.41:33648 (Netherlands)
46.17.96.41:33644
46.17.96.41:33636
146.0.77.38:47540
146.0.77.38:47542

109.74.204.123:51254 (UK)

45.143.201.62:64563 (Russia)
45.143.201.62:63937

87.236.176.179:51033 (UK)

104.156.155.10:56968 (USA)
71.6.158.166:31383

Could Roon Cloud team check & inform us ?

Thanks !!

If you open up a port to the internet, it is bound to get scanned and there will be many attempts to exploit that. I would only get worried if there’s a successful attempt (which wasn’t you).

Hello,

Networking is somewhat part of my IT job. So, yes, I know that open ports can be scanned.

Here, as ARC is connected to Roon Cloud services. These cloud services must act as reverse proxy in order to redirect mobile clients towards the home server. So, I was wondering if these services have heartbeat check functions. This could be the reason why my firewall is detecting incoming data.

The purpose of my post is to know properties of these cloud services so we can whitelist it and block any other incoming communications.

ARC on your mobile device directly connects to your Roon Core. It knows how to connect, because the core registers / reports its IP and port into Roon’s cloud infrastructure.

There is no connection established from the internet to your core (not even from Roon’s cloud infrastructure), besides the ARC client itself. So no, there is no reverse proxy thing going on here.

Unless you know the exact ip address of your ARC, which is the only thing you may want to allow, and it doesn’t change over time (very unlikely when you’re out and about), you can’t really whitelist anything.

Only thing you could do perhaps is block entire countries, regions or continents I suppose.

This topic was automatically closed 45 days after the last reply. New replies are no longer allowed.