«

Hi All,

This is a follow up on an issue I posted on a while back:

http://groups.google.co.nz/group/nz....3ee16bd7e417bc

I still don't fully understand, so I am looking for a little more
education albeit from a stronger base of knowledge now hopefully!

I have (again) an unknown IP address being accessed from inside our
LAN serving up a significant amount of data.

This time, the IP is:

210.55.204.214

If I do a search on that IP in Domain Dossier
(http://centralops.net/co/DomainDossier.aspx) I get the following
extract:

HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 187
Expires: Thu, 06 Apr 2006 21:46:18 GMT
Date: Thu, 06 Apr 2006 21:46:18 GMT
Connection: close

Specifically, we see that 'AkamaiGHost' server again.

From what I was told last time, this *could* be a server used by
Microsoft to distribute updates etc.

However, my ISA 2004 server also shows traffic to the following
servers
in the same log:

download.microsoft.com
office.microsoft.com
www.download.windowsupdate.com
update.microsoft.com
au.download.windowsupdate.com

Therefore, I am now having concers that the IP address above is *not*
a windows / office update site of some sort since they appear in my
logs with their canonical names, not just an IP address.


Am I being too paranoid here? If not, and I block access to the IP
address totally, could that have a negative impact on our machines in
terms of failing to get windows updates (or worse, not even being
aware that there are updates available that they cannot get)?

Could it be some other form of updates (Symantec virus definitions for
example)? If so, how can I tell for sure?

I don't want to to block access to the site and find that it has
silently stuffed up something important that I don't find out about
for a few weeks.

Thanks,

Alan.
--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:



This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb

Alan wrote:
> Hi All,
>
> This is a follow up on an issue I posted on a while back:
>
> http://groups.google.co.nz/group/nz....3ee16bd7e417bc
>
> I still don't fully understand, so I am looking for a little more
> education albeit from a stronger base of knowledge now hopefully!
>
> I have (again) an unknown IP address being accessed from inside our
> LAN serving up a significant amount of data.
>
> This time, the IP is:
>
> 210.55.204.214
>
> If I do a search on that IP in Domain Dossier
> (http://centralops.net/co/DomainDossier.aspx) I get the following
> extract:
>
> HTTP/1.0 400 Bad Request
> Server: AkamaiGHost
> Mime-Version: 1.0
> Content-Type: text/html
> Content-Length: 187
> Expires: Thu, 06 Apr 2006 21:46:18 GMT
> Date: Thu, 06 Apr 2006 21:46:18 GMT
> Connection: close
>
> Specifically, we see that 'AkamaiGHost' server again.
>
> From what I was told last time, this *could* be a server used by
> Microsoft to distribute updates etc.
>
> However, my ISA 2004 server also shows traffic to the following
> servers
> in the same log:
>
> download.microsoft.com
> office.microsoft.com
> www.download.windowsupdate.com
> update.microsoft.com
> au.download.windowsupdate.com
>
> Therefore, I am now having concers that the IP address above is *not*
> a windows / office update site of some sort since they appear in my
> logs with their canonical names, not just an IP address.
>
>
> Am I being too paranoid here? If not, and I block access to the IP
> address totally, could that have a negative impact on our machines in
> terms of failing to get windows updates (or worse, not even being
> aware that there are updates available that they cannot get)?
>
> Could it be some other form of updates (Symantec virus definitions for
> example)? If so, how can I tell for sure?
>
> I don't want to to block access to the site and find that it has
> silently stuffed up something important that I don't find out about
> for a few weeks.
>
> Thanks,
>
> Alan.

I tried that IP (210.55.204.214) in APNIC whois
(http://www.apnic.net/apnic-bin/whois.pl) and got:

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 210.55.192.0 - 210.55.223.255
netname: NETWAY-6
descr: Netway Communications Ltd
descr: 209 Queen St, Auckland
country: NZ
admin-c: DBK1-AP
tech-c: TNZ1-AP
notify:
mnt-by: APNIC-HM
mnt-lower: NZTELECOM
status: ALLOCATED PORTABLE
changed: 20020918
changed: hm- 20040906
changed: hm- 20041123
changed: hm- 20041214
source: APNIC

role: Telecom New ZealandIPRegistry
address: Telecom New Zealand IP Registry
address: 31 Airedale Street,
address: Auckland
country: NZ
phone: +64-9-363-5861
fax-no: +64-9-379-4790
e-mail:
trouble:
admin-c: DBK1-AP
tech-c: BS3-AP
nic-hdl: TNZ1-AP
mnt-by: NZTELECOM
notify:
changed: 20031023
changed: 20041122
source: APNIC

person: Don Kendrick
address: Telecom NZ
address: 31 Airedale
address: Auckland
country: NZ
phone: +64-9-363-5861
fax-no: +64-9-379-4790
e-mail:
nic-hdl: DBK1-AP
mnt-by: NZTELECOM
changed: 20020702
source: APNIC

Alan wrote:
> Hi All,
>
> This is a follow up on an issue I posted on a while back:

Google and learn about how akamai works - then you'll understand wtf is
going on.


--
EMB

"muzz" <> wrote in message
news:...
> Alan wrote:
>> Hi All,
>>
>> This is a follow up on an issue I posted on a while back:
>>
>> http://groups.google.co.nz/group/nz....3ee16bd7e417bc
>>
>> I still don't fully understand, so I am looking for a little more
>> education albeit from a stronger base of knowledge now hopefully!
>>
>> I have (again) an unknown IP address being accessed from inside our
>> LAN serving up a significant amount of data.
>>
>> This time, the IP is:
>>
>> 210.55.204.214
>>
>> If I do a search on that IP in Domain Dossier
>> (http://centralops.net/co/DomainDossier.aspx) I get the following
>> extract:
>>
>> HTTP/1.0 400 Bad Request
>> Server: AkamaiGHost
>> Mime-Version: 1.0
>> Content-Type: text/html
>> Content-Length: 187
>> Expires: Thu, 06 Apr 2006 21:46:18 GMT
>> Date: Thu, 06 Apr 2006 21:46:18 GMT
>> Connection: close
>>
>> Specifically, we see that 'AkamaiGHost' server again.
>>
>> From what I was told last time, this *could* be a server used by
>> Microsoft to distribute updates etc.
>>
>> However, my ISA 2004 server also shows traffic to the following
>> servers
>> in the same log:
>>
>> download.microsoft.com
>> office.microsoft.com
>> www.download.windowsupdate.com
>> update.microsoft.com
>> au.download.windowsupdate.com
>>
>> Therefore, I am now having concers that the IP address above is
>> *not*
>> a windows / office update site of some sort since they appear in my
>> logs with their canonical names, not just an IP address.
>>
>>
>> Am I being too paranoid here? If not, and I block access to the IP
>> address totally, could that have a negative impact on our machines
>> in
>> terms of failing to get windows updates (or worse, not even being
>> aware that there are updates available that they cannot get)?
>>
>> Could it be some other form of updates (Symantec virus definitions
>> for example)? If so, how can I tell for sure?
>>
>> I don't want to to block access to the site and find that it has
>> silently stuffed up something important that I don't find out about
>> for a few weeks.
>>
>> Thanks,
>>
>> Alan.
>
> I tried that IP (210.55.204.214) in APNIC whois
> (http://www.apnic.net/apnic-bin/whois.pl) and got:
>
{Snip}

Yup - but what does that mean in the context of my query as to actions
to take or not?

Thanks,

Alan.
--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:



This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb

"EMB" <> wrote in message
news:e14jqg$7d6$...
> Alan wrote:
>> Hi All,
>>
>> This is a follow up on an issue I posted on a while back:
>
> Google and learn about how akamai works - then you'll understand wtf
> is going on.
>
>
> --
> EMB


Hi EMB,

I did that already, but I cannot see how I can tell what is being
mirrored from a given IP at a given point in time.

Nothing I could find helps in terms of the decision I need to make, it
all just appears to be about Akami and what they do which is very
interesting but irrelavent to the question at hand.

Are you able to shed any light on the actual problem of whether to
block a given IP and what the implications might be?

Thanks,

Alan.
--

The views expressed are my own, and not those of my employer or anyone
else associated with me.

My current valid email address is:



This is valid as is. It is not munged, or altered at all.

It will be valid for AT LEAST one month from the date of this post.

If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.

The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:

ewygchvboocno43vb674b6nq46tvb

On Fri, 07 Apr 2006 10:01:10 +1200, Alan wrote:

> I don't want to to block access to the site and find that it has
> silently stuffed up something important that I don't find out about
> for a few weeks.

LOL

For what could it be *important* that you don't already know about?


Have A Nice Cup of Tea

--
Martin Taylor, GM of platform strategy at Microsoft: "We found
that the Linux environment provided about 15 percent more end
user loss of productivity." - *provided MORE loss of productivity*

Alan wrote:

> Are you able to shed any light on the actual problem of whether to
> block a given IP and what the implications might be?

All manner of large software vendors use the Akamai servers for
distribution of updates. I'm unsure as to whether blocking this
particular IP address would break that process or merely cause the
Akamai process to re-route your downloads to another server. Either way
the result won't solve your problems.


--
EMB

Alan wrote:
> Hi All,
>
> This is a follow up on an issue I posted on a while back:
>
> http://groups.google.co.nz/group/nz....3ee16bd7e417bc
>
> I still don't fully understand, so I am looking for a little more
> education albeit from a stronger base of knowledge now hopefully!
>
> I have (again) an unknown IP address being accessed from inside our
> LAN serving up a significant amount of data.
>
> This time, the IP is:
>
> 210.55.204.214
>
> If I do a search on that IP in Domain Dossier
> (http://centralops.net/co/DomainDossier.aspx) I get the following
> extract:
>
> HTTP/1.0 400 Bad Request
> Server: AkamaiGHost
> Mime-Version: 1.0
> Content-Type: text/html
> Content-Length: 187
> Expires: Thu, 06 Apr 2006 21:46:18 GMT
> Date: Thu, 06 Apr 2006 21:46:18 GMT
> Connection: close
>
> Specifically, we see that 'AkamaiGHost' server again.
>
> From what I was told last time, this *could* be a server used by
> Microsoft to distribute updates etc.
>
> However, my ISA 2004 server also shows traffic to the following
> servers
> in the same log:
>
> download.microsoft.com
> office.microsoft.com
> www.download.windowsupdate.com
> update.microsoft.com
> au.download.windowsupdate.com
>
> Therefore, I am now having concers that the IP address above is *not*
> a windows / office update site of some sort since they appear in my
> logs with their canonical names, not just an IP address.
>
>
> Am I being too paranoid here? If not, and I block access to the IP
> address totally, could that have a negative impact on our machines in
> terms of failing to get windows updates (or worse, not even being
> aware that there are updates available that they cannot get)?
>
> Could it be some other form of updates (Symantec virus definitions for
> example)? If so, how can I tell for sure?
>
> I don't want to to block access to the site and find that it has
> silently stuffed up something important that I don't find out about
> for a few weeks.
>
As you were told when you asked before, Akamai is a caching service used
by Microsoft among others. It is NOT a Microsoft distribution server. It
is a caching service. It is almost certainly benign. In the very very
early days these server were used as anonymous relays, but those days
are LOOONG past.

It is a caching service, subscribed to by a number of big content
suppliers, not just Microsoft. The NZ Akamai servers are hosted by Xtra
I believe.

Yes you are being paranoid.

Cheers,

Cliff

Alan wrote:
> "EMB" <> wrote in message
> news:e14jqg$7d6$...
>
>> Alan wrote:
>>
>>> Hi All,
>>>
>>> This is a follow up on an issue I posted on a while back:
>>
>> Google and learn about how akamai works - then you'll understand
>> wtf is going on.
>>
>
> I did that already, but I cannot see how I can tell what is being
> mirrored from a given IP at a given point in time.
>
That's the nature of a cache. You don't know what's in it, but you know
that it has been accessed frequently in the recent past. You just know
that if you need to access something that happens to be cached, you will
get it quickly and locally instead of having to drag it in from offshore.

Cheers,

Cliff

In article <44362802$>,
Enkidu <> wrote:
>>
>That's the nature of a cache. You don't know what's in it, but you know
>that it has been accessed frequently in the recent past. You just know
>that if you need to access something that happens to be cached, you will
>get it quickly and locally instead of having to drag it in from offshore.

Interesting point: For pages that originate overseas but are cached locally,
do ISPs charge their overseas bandwidth rate instead of their local rate? I
suspect many charge the overseas rate, pay Akamai's fee and pocket the rest.

--
Don Hills (dmhills at attglobaldotnet) Wellington, New Zealand
"New interface closely resembles Presentation Manager,
preparing you for the wonders of OS/2!"
-- Advertisement on the box for Microsoft Windows 2.11 for 286