Security Risk - IP Reputation Attacks

Roon Core Machine

Roon Nucleus

Networking Gear & Setup Details

Xfinity Wireless router to ASUS wireless router via Ethernet to Roon Nucleus via Ethernet.

Connected Audio Devices

Mola Mola Tambaqui via Ethernet.

Number of Tracks in Library

Description of Issue

Ever since installing Roon 2.0 and Arc when it was released, I’ve been receiving multiple alerts on a daily basis from my Xfinity router stating it has blocked a known malicious IP from accessing my device.

The IP locations have been from the US, UK, and Seychelles to name a few. I’ve include a screen capture for reference.

I did not receive these attack alerts prior to installing Roon 2.0 and Arc. Can someone please tell me what the updated Roon/Arc software did to open my Nucleus to this vulnerability?

Most importantly, what can I do to protect myself? Trying to locate support/tips on this forum has been fruitless.

Hello and welcome to the forum. Your question, and similar ones, have come up quite a bit. Allow me to summarize and link to some info:

The new Roon ARC feature in Roon 2.0 opened a port on your router and is forwarding it to your Nucleus. This is for access to your music from your phone when outside your home, using the Roon ARC app. As the port is open, it gets automated scans like every one of the billions of open ports on the internet. However, only the Roon ARC app can actually connect to the port.

About ARC:

About how Roon enables the access. In your case, as this happened automatically, your router has the UPnP service enabled. This informs devices like the Nucleus that they are allowed to open the ports they need:

Security discussion:

If you don’t want this, disable UPnP on your router.


From a security point, opening up a Port is a very bad idea. It is no where as common a practice as it was just 5 years ago because of this.

Like @Suedkiez has stated - As the port is open, it gets automated scans like every one of the billions of open ports on the internet.

Today most remote software no longer rely on a open port for this very reason.

The best way for this implementation would have been the Core and the Arc phoning home thru a secure connection to a Roon Labs Server. A tunnel would then be setup between the 3 without the need of any ports being opened.

Most remote software like LogMeIn operate like this. It is always in a secure tunnel and is very secure.
Then there are literately no open ports to be scanned for weakness and your network is secure.

Definitely disable UPnP.


From Google.

Open ports become dangerous when legitimate services are exploited through security vulnerabilities or malicious services are introduced to a system via malware or social engineering, cybercriminals can use these services in conjunction with open ports to gain unauthorized access to sensitive data.May 11, 2022


I don’t think we should rehash the existing security thread. All of this was discussed (and largely debunked) in the existing thread

It is what it is.


Will ARC still work with UPnP disabled?

Without UPnP yes, but all that UPnP does is allowing devices within your LAN to open ports they need. Without UPnP, you still have to open the port manually for ARC to work. So the end result is the same.

The risk of having UPnP enabled is negligible as it affects only devices on your LAN. If you have devices on your LAN that you don’t trust with that, you have far bigger problems than UPnP. Rogue devices/software don’t even need UPnP to do their malicious things after you allow them onto your LAN.

But again, all of this has already been discussed in far greater depth in the linked thread. If your concern is security, education on these things goes a long way, so I recommend the linked thread

Thank you very much for the reply and the links for me to do some research.

Be well.

You are very welcome. I totally understand that it can be scary if you get these scan reports and don’t know why because it all happened automatically. I hope this helped, and although the existing thread is long, it has many posts by Roon developers explaining things. And the best defense is knowledge.

It’s a bit funny too because since the release of ARC the forum was full of people looking for help to make it work - which often it didn’t for a myriad of reasons. For you it worked completely automatically as it was intended, and yet it still caused legitimate questions :slight_smile:

Enjoy your Roon on the go :slight_smile:

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.