Tracing who an IP address belongs to - Need help!

Discussion in 'NZ Computing' started by Alan, Mar 15, 2006.

  1. Alan

    Alan Guest

    Hi All,

    I have noticed three IP addresses that have been used to download
    fairly big amounts of data through our router over the last week, but
    I cannot seem to work out who they belong to (there are many others,
    but just these three that I cannot verify as being 'okay'):

    210.55.6.161
    210.55.6.166
    210.55.204.217


    They *seem* to be either Telecom or Netway Communications IPs.
    Could that mean they are actually Xtra (or Netway) users on non-static
    IPs perhaps?

    Thanks,

    Alan.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Mar 15, 2006
    #1
    1. Advertising

  2. Alan

    Dave Taylor Guest

    "Alan" <> wrote in news:9GRRf.6344$JZ1.201824
    @news.xtra.co.nz:

    > but
    > I cannot seem to work out who they belong to (there are many others,
    > but just these three that I cannot verify as being 'okay'):
    >


    dnsstuff.com




    --
    Ciao, Dave
    Dave Taylor, Mar 15, 2006
    #2
    1. Advertising

  3. Alan

    Alan Guest

    "Dave Taylor" <> wrote in message
    news:Xns9787ED50BE6E5daveytaynospamplshot@203.97.37.6...
    > "Alan" <> wrote in news:9GRRf.6344$JZ1.201824
    > @news.xtra.co.nz:
    >
    >> but
    >> I cannot seem to work out who they belong to (there are many
    >> others,
    >> but just these three that I cannot verify as being 'okay'):
    >>

    >
    > dnsstuff.com
    >
    >
    >
    >
    > --
    > Ciao, Dave


    Hi Dave,

    I tried that (and Domain Dossier) but I'm still none the wiser as to
    what is at that address or how it could be accessed using HTTP:

    http://www.dnsstuff.com/tools/ipall.ch?domain= 210.55.6.161

    Perhaps I don't understand what I am seeing?

    Alan.


    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Mar 15, 2006
    #3
  4. On Wed, 15 Mar 2006 23:58:20 +1300, Alan wrote:

    > Perhaps I don't understand what I am seeing?


    Indeed!

    Check your logs.

    Have you tried using whois?

    What port are they connecting from? What port are they connecting to?

    What IP number are they connecting TO inside your firewall? Why has your
    firewall not blocked them?

    What protocol are they using to connect?

    There are plenty of questions that you appear not to have answered, or
    asked.


    Have A Nice Cup of Tea

    --
    1/ Migration to Linux only costs money once. Higher Windows TCO is forever.
    2/ "Shared source" is a poison pill. Open Source is freedom.
    3/ Only the Windows boxes get the worms.
    Have A Nice Cup of Tea, Mar 15, 2006
    #4
  5. Alan

    Enkidu Guest

    Alan wrote:
    > "Dave Taylor" <> wrote in message
    > news:Xns9787ED50BE6E5daveytaynospamplshot@203.97.37.6...
    >
    >> "Alan" <> wrote in news:9GRRf.6344$JZ1.201824
    >> @news.xtra.co.nz:
    >>
    >>
    >>> but I cannot seem to work out who they belong to (there are many
    >>> others, but just these three that I cannot verify as being
    >>> 'okay'):
    >>>

    >>
    >> dnsstuff.com
    >>
    >>
    >>
    >>
    >> -- Ciao, Dave

    >
    >
    > Hi Dave,
    >
    > I tried that (and Domain Dossier) but I'm still none the wiser as to
    > what is at that address or how it could be accessed using HTTP:
    >
    > http://www.dnsstuff.com/tools/ipall.ch?domain= 210.55.6.161
    >
    > Perhaps I don't understand what I am seeing?
    >

    What are you seeing?

    From what I see below, it appears to be an Akamai server. These server
    are like local caches of sites that get hit a lot and whose owners use
    the Akamai service. Basically, by DNS smoke and mirrors, you may get
    connected to a local Akamai server when you *think* you are connecting
    to, say, www.microsoft.com. All pages you request from the Microsoft
    site that are cached are actually served by the Akamai server.

    Cheers,

    Cliff

    cliffp@honeybee:~$ telnet 210.55.6.161 80
    Trying 210.55.6.161...
    Connected to 210.55.6.161.
    Escape character is '^]'.
    HEAD / HTTP/1.1

    HTTP/1.0 400 Bad Request
    Server: AkamaiGHost
    Mime-Version: 1.0
    Content-Type: text/html
    Content-Length: 187
    Expires: Wed, 15 Mar 2006 19:58:42 GMT
    Date: Wed, 15 Mar 2006 19:58:42 GMT
    X-Cache: MISS from firewall
    X-Cache-Lookup: MISS from firewall:3128
    Connection: close

    Connection closed by foreign host.
    Enkidu, Mar 15, 2006
    #5
  6. Alan

    thing2 Guest

    Alan wrote:
    > Hi All,
    >
    > I have noticed three IP addresses that have been used to download
    > fairly big amounts of data through our router over the last week, but
    > I cannot seem to work out who they belong to (there are many others,
    > but just these three that I cannot verify as being 'okay'):
    >
    > 210.55.6.161
    > 210.55.6.166
    > 210.55.204.217
    >
    >
    > They *seem* to be either Telecom or Netway Communications IPs.
    > Could that mean they are actually Xtra (or Netway) users on non-static
    > IPs perhaps?
    >
    > Thanks,
    >
    > Alan.
    >


    http://completewhois.com/

    inetnum: 210.55.0.0 - 210.55.79.255
    netname: NZTELECOM-NZ
    descr: Telecom New Zealand Ltd
    descr: Private Bag 92028, Auckland, New Zealand
    country: NZ
    admin-c: DBK1-AP
    tech-c: TNZ1-AP
    mnt-by: APNIC-HM
    mnt-lower: NZTELECOM
    status: ALLOCATED PORTABLE

    looks that way.

    regards

    Thing
    thing2, Mar 15, 2006
    #6
  7. Alan

    Alan Guest

    "Have A Nice Cup of Tea" <> wrote in message
    news:p...
    > On Wed, 15 Mar 2006 23:58:20 +1300, Alan wrote:
    >
    >> Perhaps I don't understand what I am seeing?

    >
    > Indeed!
    >
    > Check your logs.
    >
    > Have you tried using whois?
    >
    > What port are they connecting from? What port are they connecting
    > to?
    >
    > What IP number are they connecting TO inside your firewall? Why has
    > your
    > firewall not blocked them?
    >
    > What protocol are they using to connect?
    >
    > There are plenty of questions that you appear not to have answered,
    > or
    > asked.
    >
    >
    > Have A Nice Cup of Tea
    >
    > --
    > 1/ Migration to Linux only costs money once. Higher Windows TCO is
    > forever.
    > 2/ "Shared source" is a poison pill. Open Source is freedom.
    > 3/ Only the Windows boxes get the worms.
    >


    Hi,

    I didn't explain very well.

    This is traffic being 'pulled' in by a machine on our network (I have
    no way at this point of determining which one) from those IP
    addresses.

    It could be, and may well be, entirely business related, but I
    couldn't work out who the data was coming from.

    HTH,

    Alan.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Mar 16, 2006
    #7
  8. >
    > I didn't explain very well.
    >
    > This is traffic being 'pulled' in by a machine on our network (I have
    > no way at this point of determining which one) from those IP
    > addresses.
    >
    > It could be, and may well be, entirely business related, but I
    > couldn't work out who the data was coming from.
    >


    Akamai.. Windows Updates....most likely

    Thanks
    Craig Whitmore, Mar 16, 2006
    #8
  9. On Thu, 16 Mar 2006 14:52:53 +1300, Alan wrote:

    > This is traffic being 'pulled' in by a machine on our network (I have
    > no way at this point of determining which one) from those IP
    > addresses.
    >
    > It could be, and may well be, entirely business related, but I
    > couldn't work out who the data was coming from.


    Are you using Squid? Surely your logs will tell you which of your
    computers inside your network is connecting to that server.

    Do you have a packet sniffer installed? Surely you will be able to look at
    the packet headers on their way into your firewall and find out which of
    your computers is connecting to that server.

    Easiest way would be to use grep on your proxy log.


    Have A Nice Cup of Tea

    --
    1/ Migration to Linux only costs money once. Higher Windows TCO is forever.
    2/ "Shared source" is a poison pill. Open Source is freedom.
    3/ Only the Windows boxes get the worms.
    Have A Nice Cup of Tea, Mar 16, 2006
    #9
  10. Alan

    Alan Guest

    "thing2" <> wrote in message
    news:...
    > Alan wrote:
    >> Hi All,
    >>
    >> I have noticed three IP addresses that have been used to download
    >> fairly big amounts of data through our router over the last week,
    >> but
    >> I cannot seem to work out who they belong to (there are many
    >> others,
    >> but just these three that I cannot verify as being 'okay'):
    >>
    >> 210.55.6.161
    >> 210.55.6.166
    >> 210.55.204.217
    >>
    >>
    >> They *seem* to be either Telecom or Netway Communications IPs.
    >> Could that mean they are actually Xtra (or Netway) users on
    >> non-static
    >> IPs perhaps?
    >>
    >> Thanks,
    >>
    >> Alan.
    >>

    >
    > http://completewhois.com/
    >
    > inetnum: 210.55.0.0 - 210.55.79.255
    > netname: NZTELECOM-NZ
    > descr: Telecom New Zealand Ltd
    > descr: Private Bag 92028, Auckland, New Zealand
    > country: NZ
    > admin-c: DBK1-AP
    > tech-c: TNZ1-AP
    > mnt-by: APNIC-HM
    > mnt-lower: NZTELECOM
    > status: ALLOCATED PORTABLE
    >
    > looks that way.
    >
    > regards
    >
    > Thing
    >


    That's a good WhoIs lookup!

    "Allocated Portable" - It does sound like IPs given to users
    dynamically.

    How does that square off with the comment that Cliff and others made
    about it being an 'AkamaiGHost' server that may be serving up Windows
    Updates from MS?

    Thanks - I am learning here!

    Alan.


    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Mar 16, 2006
    #10
  11. Alan

    Alan Guest

    "Enkidu" <> wrote in message
    news:...
    > Alan wrote:
    >> "Dave Taylor" <> wrote in message
    >> news:Xns9787ED50BE6E5daveytaynospamplshot@203.97.37.6...
    >>
    >>> "Alan" <> wrote in news:9GRRf.6344$JZ1.201824
    >>> @news.xtra.co.nz:
    >>>
    >>>
    >>>> but I cannot seem to work out who they belong to (there are many
    >>>> others, but just these three that I cannot verify as being
    >>>> 'okay'):
    >>>>
    >>>
    >>> dnsstuff.com
    >>>
    >>>
    >>>
    >>>
    >>> -- Ciao, Dave

    >>
    >>
    >> Hi Dave,
    >>
    >> I tried that (and Domain Dossier) but I'm still none the wiser as
    >> to
    >> what is at that address or how it could be accessed using HTTP:
    >>
    >> http://www.dnsstuff.com/tools/ipall.ch?domain= 210.55.6.161
    >>
    >> Perhaps I don't understand what I am seeing?
    >>

    > What are you seeing?
    >
    > From what I see below, it appears to be an Akamai server. These
    > server
    > are like local caches of sites that get hit a lot and whose owners
    > use
    > the Akamai service. Basically, by DNS smoke and mirrors, you may get
    > connected to a local Akamai server when you *think* you are
    > connecting
    > to, say, www.microsoft.com. All pages you request from the Microsoft
    > site that are cached are actually served by the Akamai server.
    >
    > Cheers,
    >
    > Cliff
    >
    > cliffp@honeybee:~$ telnet 210.55.6.161 80
    > Trying 210.55.6.161...
    > Connected to 210.55.6.161.
    > Escape character is '^]'.
    > HEAD / HTTP/1.1
    >
    > HTTP/1.0 400 Bad Request
    > Server: AkamaiGHost
    > Mime-Version: 1.0
    > Content-Type: text/html
    > Content-Length: 187
    > Expires: Wed, 15 Mar 2006 19:58:42 GMT
    > Date: Wed, 15 Mar 2006 19:58:42 GMT
    > X-Cache: MISS from firewall
    > X-Cache-Lookup: MISS from firewall:3128
    > Connection: close
    >
    > Connection closed by foreign host.




    Hi Cliff,

    Thing posted the following:

    http://completewhois.com/

    inetnum: 210.55.0.0 - 210.55.79.255
    netname: NZTELECOM-NZ
    descr: Telecom New Zealand Ltd
    descr: Private Bag 92028, Auckland, New Zealand
    country: NZ
    admin-c: DBK1-AP
    tech-c: TNZ1-AP
    mnt-by: APNIC-HM
    mnt-lower: NZTELECOM
    status: ALLOCATED PORTABLE

    How does that square up with the Akamai server response? I am
    thinking that "Allocated Portable" means IPs in arange allocated
    dynamically to users of Xtra?

    Thanks for your input,

    Alan.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Mar 16, 2006
    #11
  12. Alan

    Enkidu Guest

    Alan wrote:
    > "Enkidu" <> wrote in message
    > news:...
    >
    >>Alan wrote:
    >>
    >>>"Dave Taylor" <> wrote in message
    >>>news:Xns9787ED50BE6E5daveytaynospamplshot@203.97.37.6...
    >>>
    >>>
    >>>>"Alan" <> wrote in news:9GRRf.6344$JZ1.201824
    >>>>@news.xtra.co.nz:
    >>>>
    >>>>
    >>>>
    >>>>>but I cannot seem to work out who they belong to (there are many
    >>>>> others, but just these three that I cannot verify as being
    >>>>>'okay'):
    >>>>>
    >>>>
    >>>>dnsstuff.com
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>-- Ciao, Dave
    >>>
    >>>
    >>>Hi Dave,
    >>>
    >>>I tried that (and Domain Dossier) but I'm still none the wiser as
    >>>to
    >>> what is at that address or how it could be accessed using HTTP:
    >>>
    >>>http://www.dnsstuff.com/tools/ipall.ch?domain= 210.55.6.161
    >>>
    >>>Perhaps I don't understand what I am seeing?
    >>>

    >>
    >>What are you seeing?
    >>
    >>From what I see below, it appears to be an Akamai server. These
    >>server
    >>are like local caches of sites that get hit a lot and whose owners
    >>use
    >>the Akamai service. Basically, by DNS smoke and mirrors, you may get
    >>connected to a local Akamai server when you *think* you are
    >>connecting
    >>to, say, www.microsoft.com. All pages you request from the Microsoft
    >>site that are cached are actually served by the Akamai server.
    >>
    >>Cheers,
    >>
    >>Cliff
    >>
    >>cliffp@honeybee:~$ telnet 210.55.6.161 80
    >>Trying 210.55.6.161...
    >>Connected to 210.55.6.161.
    >>Escape character is '^]'.
    >>HEAD / HTTP/1.1
    >>
    >>HTTP/1.0 400 Bad Request
    >>Server: AkamaiGHost
    >>Mime-Version: 1.0
    >>Content-Type: text/html
    >>Content-Length: 187
    >>Expires: Wed, 15 Mar 2006 19:58:42 GMT
    >>Date: Wed, 15 Mar 2006 19:58:42 GMT
    >>X-Cache: MISS from firewall
    >>X-Cache-Lookup: MISS from firewall:3128
    >>Connection: close
    >>
    >>Connection closed by foreign host.

    >
    >
    >
    >
    > Hi Cliff,
    >
    > Thing posted the following:
    >
    > http://completewhois.com/
    >
    > inetnum: 210.55.0.0 - 210.55.79.255
    > netname: NZTELECOM-NZ
    > descr: Telecom New Zealand Ltd
    > descr: Private Bag 92028, Auckland, New Zealand
    > country: NZ
    > admin-c: DBK1-AP
    > tech-c: TNZ1-AP
    > mnt-by: APNIC-HM
    > mnt-lower: NZTELECOM
    > status: ALLOCATED PORTABLE
    >
    > How does that square up with the Akamai server response? I am
    > thinking that "Allocated Portable" means IPs in arange allocated
    > dynamically to users of Xtra?
    >

    Allocate portable means that the subnet is 'portable'. If the holder of
    a portable subnet (usually a class C) were to move to a different
    service provider they could take the class C with them. In the context
    of Xtra/Telecom it doesn't mean anything.

    Xtra hosts the Akamai servers. I teenk that they are the only Akamais in
    NZ.

    (Historical note: If you knew about the Akamai servers, you could craft
    a special URL to use the servers as an anonymous proxy. They fixed that
    hole though.)

    Cheers,

    Cliff
    Enkidu, Mar 16, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. dexx

    tracing a mac address?

    dexx, May 25, 2005, in forum: Cisco
    Replies:
    6
    Views:
    32,291
    H.U.A. Koers
    May 26, 2005
  2. =?Utf-8?B?RnJhIEphIFJpaXM=?=

    Wireless network doesn't work while PC belongs to a domain

    =?Utf-8?B?RnJhIEphIFJpaXM=?=, Apr 25, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,250
    Jack \(MVP-Networking\).
    Apr 25, 2006
  3. Defrag Belongs at end of drive

    , Feb 20, 2005, in forum: Computer Support
    Replies:
    4
    Views:
    430
    ┬░Mike┬░
    Feb 20, 2005
  4. Sharon Russell

    How can I determine what belongs in my registry?

    Sharon Russell, Jun 10, 2005, in forum: Computer Support
    Replies:
    11
    Views:
    938
    Jim Byrd
    Jun 10, 2005
  5. Bucky Breeder

    ! Cheese That Belongs to Nobody...

    Bucky Breeder, Aug 11, 2010, in forum: Computer Support
    Replies:
    10
    Views:
    708
    Bucky Breeder
    Sep 28, 2010
Loading...

Share This Page