Roon network connections

Lonek · May 23, 2021, 7:24am

Is the Roon Core intentionally connecting to 104.22.15.70, 104.22.14.70 or it may be a hacking attack using the Roon?

Regards

beka · May 24, 2021, 7:11pm

Thanks for getting in touch with Roon support - we’d love to help.

Could you please share a bit more context about this and how it is affecting your Roon setup? Some information on your Core, Audio devices and Network would be very helpful.

Thanks in advance

Lonek · May 24, 2021, 8:31pm

Hello;
when Roon Core is starting I turn on the preview of network communication (remote hosts and ports) and I check which servers Roon connects to. Most remote hosts looks familliar (Amazon, Google etc.) but these two are suspicious. Do you know them?

MamaTried · May 24, 2021, 8:57pm

Those are owned by cloudflare.
NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)

No clue who on their network though. Direct access to the IP is forbidden.

You don’t state if they are inbound or outbound.
I’d check your firewall logs for more details. destination ports etc.

Lonek · May 25, 2021, 8:53am

It was OUTBOUND.
It looks scary - as if someone unauthorised gained access to Roon…
I’m waiting for @support explanations

MamaTried · May 25, 2021, 3:31pm

Cloudflare runs thousands of sites.
Without knowing what protocol(port) or reading logs, you’ll never know what that request did. It could easily be a simple dns request. again no port, no logs, no trail, no clue what traffic passed.

What application are you using to track ip’s with? netstat? snort? lsof?

If it was outbound, your system did the dialing, which would mean the core OS has been exploited for nefarious reasons. I’m not very convinced that happened.

I’ve seen some weird things, so not ruling it out, but won’t be betting for it.

Hopefully you can gather logs and a trail for roon support to follow, otherwise, they will have no clue what to tell you.

Lonek · May 25, 2021, 6:50pm

I understand your point of view, but I have been profesionally dealing with the security of information systems for too long to ignore the establishment of a connection by Roon (exactly by Roon) especially with these IPs …
So I’m still waiting for @support - whether they knows these addresses or not.
The whole incident is strictly documented (of course I will not publish it here!)

MamaTried · May 25, 2021, 6:57pm

My apologies, I eagerly await seeing the resolution.

dylan · May 25, 2021, 11:26pm

Hi @Lonek

Can you share the full log of what you’re seeing with us so we can take a closer look? This is likely nothing to worry about, but we can verify with some more information. If you don’t want to share this publicly, feel free to send it in a PM.

Lonek · May 26, 2021, 6:25am

Hi @dylan
I’m sorry but no, because this could be evidence in case against the operator of these IPs, so I cannot disclose it to third parties.
I omit the fact that the full log also contains sensitive information for the security of my system.

So all I ask Roon support is to confirm or deny that any of Roon app component intentionally connects to these IPs.

If Roon can’t do it, for technical or legal reasons - of course I understand it.
When my case is closed, I will notify Roon if there is any essential information concerning to the eventual hacker interference to Roon app.
Regards