IPS/FW Signature hit

Hello!

I tried to interact with Twitter CS but it went nowhere as this was eight week effort to find out.

Me, my friends and it seems many others (looking how competitive matches are going) are facing random disconnects meanwhile playing Overwatch. It seems this problem has existed for years?

I started investigating it and tried it with different ISP’s and combinations, so what happens in nutshell is that some ISP providers who provide “secure” elements to your line, and ISP’s who give you modems or routers with FW enabled will have sometimes IPS signature hit when playing Overwatch and it will block server.

It will allow you to join ingame chat, but not rejoin game to play heroes.

Talking with ISP’s it seems at least Suricata will give you that hit, other ISP didn’t tell me what they are using due security reasons but they told me that its not Suricata. Only told me that they had signature hit exactly the time I told I had disconnect.

I was talking with Vodaphone and Telia and both told me that they receive calls from customers from random disconnects and customers cannot join game back until it ends, and after further talking and investigation it seems to be about this.

I did some experimenting with Unifi UXG and UDMP with IPS enabled and yesterday I received this hit:

Threat Management Alert 1: Potential Corporate Privacy Violation. Signature ET P2P Edonkey Search Request (search by name). From: 172.18.6.127:65453, to: 5.42.170.87:26534, protocol: UDP

Behaviour was exactly same, I was kicked out of game, I can join chat but i cannot go back to game so I believe this is it?..

Is this something what you can ask Suricata and manufacturers update or globally whitelist? Or update game?

This happens extremely randomly, it might from hours, days to weeks people to face this disconnect from game. And when it happens people will likely face bans and endorsement level loss.

Hello Hyugafe!

We would recommend in this situation that players contact their device/ISP provider, so that their provider can correct their error at it’s source for all their customers’ services.

I have this exact issue. “ET P2P Edonkey Search Request” I look in DPI/IPS in my Unifi and see the ASN is Blizzard Entertainment. This doesn’t seem like a ISP issue, it seems like a Ubiquiti Deep Packet Inspection / Firewall causing this.

I have been trying to search if there a way to whitelist the Blizzard IP subnet to stop the drops?

RESURRECTION!!!

This happens to me all the time. Not my ISP. DEF something on the Blizz end but they will always default “not my problem” vs actually investigating. My assumption is that there’s a exploit that they don’t know about or some config on their end but it always happens in comp. NEVER in any mode. Coincidence? Unlikely… 99% this is invoked and throw people off games. Stopped playing comp cuz it’s just a hot mess

Hi,

Well I just opened a ticket in this “ball park” with Blizzard to see if they could help me with the needed info.

In the meantime I have done some investigations on my own data and the different hosts that has hit the FW rule “ET P2P Edonkey Search Request (search by name)” and been denied.

You have several options depending on how much you would like to open up your network but if I look at the data I have I’m estimating that Blizzards servers reside on CIDR: 5.42.160.0/19 and with that in mind you can set up a “signature suppression on that network” and the “Edonkey” rule.

After looking into this I found that the info about “Signature Suppression” reads like this:

Signature Suppression

The signature suppression function of the IPS engine allows a UniFi Administrator to mute the alerting on certain signatures. This will also disable blocking on traffic matching the designated suppression rule.

…

Adding a signature suppression rule with packet tracking based on traffic direction and by single IP, defined UniFi Network, or subnet of choice.

End citation

So I’m going to try that and see if that solves my issue and minimize the “whole” I need to have in my FW.