cancel
Showing results for 
Search instead for 
Did you mean: 

Zoom meeting blocked by "Threat Prevention" in router

mtiede
Listener

I have a Synology RT6600ax router with "Threat Prevention".  When a Silversneakers zoom meeting is started on a Samsung Galaxy S10 Android phone, I get a LOT of events generated.  There are 2 kinds of events:

 

  1. SQL probe response overflow attempt (hundreds of these)I don't know why something for SQL should be sent to the phone.  I presume this is a false positive. I allow this event to occur.  If I don't, the video seems to "hang", probably due to the sheer volume of these events hitting the router and overloading the router.  Do you think I am right in allowing this event?

 

       2. Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)

 

           I presume this is getting confused because zoom is doing a P2P protocol and is encrypting UDP packets. 

           I only get one of these events and I believe it happens RIGHT after I allow the SQL events.

           I don't allow this P2P event and it doesn't seem to stop the meeting, but should I allow this one?

 

      Thanks for any clarification on this.  

 

      Also, when using this on the phone, what ports and IP addresses are used?

6 REPLIES 6

Ray_Harwood
Community Champion | Customer
Community Champion | Customer

Hi, @mtiede.

 

I love my Synology RT6600ax!  I'm on Zoom meetings all the time, and have never had an alert from the router relating to any Zoom meeting.

 

I'm assuming you've got the ax router at home and have configured it yourself, as opposed to something at a work site.  There are settings you can use to block certain sites for youngsters at home, but the info you shared doesn't seem like it's related to that.

 

If you'd like to send me the meeting link via PM, I'll give it a try and see what happens on this end and let you know.


Ray - Need cost-effective Zoom Events Help? Visit Z-SPAN.com.
Please click Accept As Solution if this helped you !

Have you looked at the DS Router app on the phone and then gone to the Settings | Traffic Monitor | Applications?  If so, have you ever seen traffic from Tor?  I have and I don't know where that traffic is coming from and if it is legit or a hack.

Ray, are you using threat prevention?  If so, and you go into the Self-defined Policy menu item and then look at the signatures and then "A Network Trojan was detected", what do you have for the action for "Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"?  Is it "Do nothing"?  I've changed most of the high and medium and some of the low to "Drop" instead of whatever the default is.  If it is a risk, I want to disable it until I PROVE (as best I can) that it is not something to worry about, at least for the particular instance.

 

I hadn't answered your question as to whether this is at home self configured and Yes, and Yes.  I'm a LONG time programmer (first code written in 1966) and not a beginner in software, but this is my first deep foray into routers thanks to Spectrum not updating my old modem/router (and my old router could ONLY be updated by the ISP).

mtiede
Listener

I have just been adding the events to "Do nothing".  Today, just now, it didn't complain about the Sql or Conficker.  I presume it accessed the same IP.

But I did still get a complaint about it using TLS1.0.  I've added that to the "Do nothing" events.

 

Maybe I can get that link from my wife when she is done and I can send it to you.  Although, it will probably be too late then because the SilverSneakers will be over.

 

I wonder if the problem is just with the SilverSneakers and not Zoom meetings in general.

 

How is your performance with Threat Prevention active.  It looks like it is cutting mine down by about 10%.  My ISP supplies 300Mbps download and even on ethernet I only get about 270Mbps.  Before, when I was using my NetGear C7000v2 modem/router with no sort of Threat Prevention available, I was even getting up to about 350Mbps.  On wifi, I'm only getting 86Mbps right now (don't know if wife's Zoom is taking away from that performance).  But at it's best the wifi is probably only getting around 200Mbps.

mtiede
Listener

It doesn't look like I can have you try it.  Meeting is now over and can't be joined.  You probably have to be a member of SilverSneakers to use it anyway.

 

Thanks for the offer.

 

I think these events may be unique to the SilverSneakers meetings.

mtiede
Listener

Each time the zoom meeting is started, I get the ton of Sql complaints probably because a different IP is used every time.  But once I'm past that, I still get "GPL SHELLCODE x86 setgid 0".  The combination of looking for sql and this shellcode which looks like it tries to get administrator makes me wonder about SilverSneakers and what is going on.  Of course, if TP were off, I'd never know about these things and maybe everything is fine.  Wish I knew for certain.