Unknown IP addresses in my firewall logs (outgoing initiated web traffic)

Discussion in 'NZ Computing' started by Alan, Apr 6, 2006.

  1. Alan

    Alan Guest

    Hi All,

    This is a follow up on an issue I posted on a while back:

    http://groups.google.co.nz/group/nz...vb tracing&rnum=1&hl=en&#doc_6a3ee16bd7e417bc

    I still don't fully understand, so I am looking for a little more
    education albeit from a stronger base of knowledge now hopefully!

    I have (again) an unknown IP address being accessed from inside our
    LAN serving up a significant amount of data.

    This time, the IP is:

    210.55.204.214

    If I do a search on that IP in Domain Dossier
    (http://centralops.net/co/DomainDossier.aspx) I get the following
    extract:

    HTTP/1.0 400 Bad Request
    Server: AkamaiGHost
    Mime-Version: 1.0
    Content-Type: text/html
    Content-Length: 187
    Expires: Thu, 06 Apr 2006 21:46:18 GMT
    Date: Thu, 06 Apr 2006 21:46:18 GMT
    Connection: close

    Specifically, we see that 'AkamaiGHost' server again.

    From what I was told last time, this *could* be a server used by
    Microsoft to distribute updates etc.

    However, my ISA 2004 server also shows traffic to the following
    servers
    in the same log:

    download.microsoft.com
    office.microsoft.com
    www.download.windowsupdate.com
    update.microsoft.com
    au.download.windowsupdate.com

    Therefore, I am now having concers that the IP address above is *not*
    a windows / office update site of some sort since they appear in my
    logs with their canonical names, not just an IP address.


    Am I being too paranoid here? If not, and I block access to the IP
    address totally, could that have a negative impact on our machines in
    terms of failing to get windows updates (or worse, not even being
    aware that there are updates available that they cannot get)?

    Could it be some other form of updates (Symantec virus definitions for
    example)? If so, how can I tell for sure?

    I don't want to to block access to the site and find that it has
    silently stuffed up something important that I don't find out about
    for a few weeks.

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Apr 6, 2006
    #1
    1. Advertising

  2. Alan

    muzz Guest

    Re: Unknown IP addresses in my firewall logs (outgoing initiatedweb traffic)

    Alan wrote:
    > Hi All,
    >
    > This is a follow up on an issue I posted on a while back:
    >
    > http://groups.google.co.nz/group/nz...vb tracing&rnum=1&hl=en&#doc_6a3ee16bd7e417bc
    >
    > I still don't fully understand, so I am looking for a little more
    > education albeit from a stronger base of knowledge now hopefully!
    >
    > I have (again) an unknown IP address being accessed from inside our
    > LAN serving up a significant amount of data.
    >
    > This time, the IP is:
    >
    > 210.55.204.214
    >
    > If I do a search on that IP in Domain Dossier
    > (http://centralops.net/co/DomainDossier.aspx) I get the following
    > extract:
    >
    > HTTP/1.0 400 Bad Request
    > Server: AkamaiGHost
    > Mime-Version: 1.0
    > Content-Type: text/html
    > Content-Length: 187
    > Expires: Thu, 06 Apr 2006 21:46:18 GMT
    > Date: Thu, 06 Apr 2006 21:46:18 GMT
    > Connection: close
    >
    > Specifically, we see that 'AkamaiGHost' server again.
    >
    > From what I was told last time, this *could* be a server used by
    > Microsoft to distribute updates etc.
    >
    > However, my ISA 2004 server also shows traffic to the following
    > servers
    > in the same log:
    >
    > download.microsoft.com
    > office.microsoft.com
    > www.download.windowsupdate.com
    > update.microsoft.com
    > au.download.windowsupdate.com
    >
    > Therefore, I am now having concers that the IP address above is *not*
    > a windows / office update site of some sort since they appear in my
    > logs with their canonical names, not just an IP address.
    >
    >
    > Am I being too paranoid here? If not, and I block access to the IP
    > address totally, could that have a negative impact on our machines in
    > terms of failing to get windows updates (or worse, not even being
    > aware that there are updates available that they cannot get)?
    >
    > Could it be some other form of updates (Symantec virus definitions for
    > example)? If so, how can I tell for sure?
    >
    > I don't want to to block access to the site and find that it has
    > silently stuffed up something important that I don't find out about
    > for a few weeks.
    >
    > Thanks,
    >
    > Alan.


    I tried that IP (210.55.204.214) in APNIC whois
    (http://www.apnic.net/apnic-bin/whois.pl) and got:

    % [whois.apnic.net node-2]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 210.55.192.0 - 210.55.223.255
    netname: NETWAY-6
    descr: Netway Communications Ltd
    descr: 209 Queen St, Auckland
    country: NZ
    admin-c: DBK1-AP
    tech-c: TNZ1-AP
    notify:
    mnt-by: APNIC-HM
    mnt-lower: NZTELECOM
    status: ALLOCATED PORTABLE
    changed: 20020918
    changed: 20040906
    changed: 20041123
    changed: 20041214
    source: APNIC

    role: Telecom New ZealandIPRegistry
    address: Telecom New Zealand IP Registry
    address: 31 Airedale Street,
    address: Auckland
    country: NZ
    phone: +64-9-363-5861
    fax-no: +64-9-379-4790
    e-mail:
    trouble:
    admin-c: DBK1-AP
    tech-c: BS3-AP
    nic-hdl: TNZ1-AP
    mnt-by: NZTELECOM
    notify:
    changed: 20031023
    changed: 20041122
    source: APNIC

    person: Don Kendrick
    address: Telecom NZ
    address: 31 Airedale
    address: Auckland
    country: NZ
    phone: +64-9-363-5861
    fax-no: +64-9-379-4790
    e-mail:
    nic-hdl: DBK1-AP
    mnt-by: NZTELECOM
    changed: 20020702
    source: APNIC
    muzz, Apr 7, 2006
    #2
    1. Advertising

  3. Alan

    EMB Guest

    Re: Unknown IP addresses in my firewall logs (outgoing initiatedweb traffic)

    Alan wrote:
    > Hi All,
    >
    > This is a follow up on an issue I posted on a while back:


    Google and learn about how akamai works - then you'll understand wtf is
    going on.


    --
    EMB
    EMB, Apr 7, 2006
    #3
  4. Alan

    Alan Guest

    "muzz" <-ip.com> wrote in message
    news:...
    > Alan wrote:
    >> Hi All,
    >>
    >> This is a follow up on an issue I posted on a while back:
    >>
    >> http://groups.google.co.nz/group/nz...vb tracing&rnum=1&hl=en&#doc_6a3ee16bd7e417bc
    >>
    >> I still don't fully understand, so I am looking for a little more
    >> education albeit from a stronger base of knowledge now hopefully!
    >>
    >> I have (again) an unknown IP address being accessed from inside our
    >> LAN serving up a significant amount of data.
    >>
    >> This time, the IP is:
    >>
    >> 210.55.204.214
    >>
    >> If I do a search on that IP in Domain Dossier
    >> (http://centralops.net/co/DomainDossier.aspx) I get the following
    >> extract:
    >>
    >> HTTP/1.0 400 Bad Request
    >> Server: AkamaiGHost
    >> Mime-Version: 1.0
    >> Content-Type: text/html
    >> Content-Length: 187
    >> Expires: Thu, 06 Apr 2006 21:46:18 GMT
    >> Date: Thu, 06 Apr 2006 21:46:18 GMT
    >> Connection: close
    >>
    >> Specifically, we see that 'AkamaiGHost' server again.
    >>
    >> From what I was told last time, this *could* be a server used by
    >> Microsoft to distribute updates etc.
    >>
    >> However, my ISA 2004 server also shows traffic to the following
    >> servers
    >> in the same log:
    >>
    >> download.microsoft.com
    >> office.microsoft.com
    >> www.download.windowsupdate.com
    >> update.microsoft.com
    >> au.download.windowsupdate.com
    >>
    >> Therefore, I am now having concers that the IP address above is
    >> *not*
    >> a windows / office update site of some sort since they appear in my
    >> logs with their canonical names, not just an IP address.
    >>
    >>
    >> Am I being too paranoid here? If not, and I block access to the IP
    >> address totally, could that have a negative impact on our machines
    >> in
    >> terms of failing to get windows updates (or worse, not even being
    >> aware that there are updates available that they cannot get)?
    >>
    >> Could it be some other form of updates (Symantec virus definitions
    >> for example)? If so, how can I tell for sure?
    >>
    >> I don't want to to block access to the site and find that it has
    >> silently stuffed up something important that I don't find out about
    >> for a few weeks.
    >>
    >> Thanks,
    >>
    >> Alan.

    >
    > I tried that IP (210.55.204.214) in APNIC whois
    > (http://www.apnic.net/apnic-bin/whois.pl) and got:
    >

    {Snip}

    Yup - but what does that mean in the context of my query as to actions
    to take or not?

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Apr 7, 2006
    #4
  5. Alan

    Alan Guest

    "EMB" <> wrote in message
    news:e14jqg$7d6$...
    > Alan wrote:
    >> Hi All,
    >>
    >> This is a follow up on an issue I posted on a while back:

    >
    > Google and learn about how akamai works - then you'll understand wtf
    > is going on.
    >
    >
    > --
    > EMB



    Hi EMB,

    I did that already, but I cannot see how I can tell what is being
    mirrored from a given IP at a given point in time.

    Nothing I could find helps in terms of the decision I need to make, it
    all just appears to be about Akami and what they do which is very
    interesting but irrelavent to the question at hand.

    Are you able to shed any light on the actual problem of whether to
    block a given IP and what the implications might be?

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Apr 7, 2006
    #5
  6. On Fri, 07 Apr 2006 10:01:10 +1200, Alan wrote:

    > I don't want to to block access to the site and find that it has
    > silently stuffed up something important that I don't find out about
    > for a few weeks.


    LOL

    For what could it be *important* that you don't already know about?


    Have A Nice Cup of Tea

    --
    Martin Taylor, GM of platform strategy at Microsoft: "We found
    that the Linux environment provided about 15 percent more end
    user loss of productivity." - *provided MORE loss of productivity*
    Have A Nice Cup of Tea, Apr 7, 2006
    #6
  7. Alan

    EMB Guest

    Re: Unknown IP addresses in my firewall logs (outgoing initiatedweb traffic)

    Alan wrote:

    > Are you able to shed any light on the actual problem of whether to
    > block a given IP and what the implications might be?


    All manner of large software vendors use the Akamai servers for
    distribution of updates. I'm unsure as to whether blocking this
    particular IP address would break that process or merely cause the
    Akamai process to re-route your downloads to another server. Either way
    the result won't solve your problems.


    --
    EMB
    EMB, Apr 7, 2006
    #7
  8. Alan

    Enkidu Guest

    Re: Unknown IP addresses in my firewall logs (outgoing initiatedweb traffic)

    Alan wrote:
    > Hi All,
    >
    > This is a follow up on an issue I posted on a while back:
    >
    > http://groups.google.co.nz/group/nz...vb tracing&rnum=1&hl=en&#doc_6a3ee16bd7e417bc
    >
    > I still don't fully understand, so I am looking for a little more
    > education albeit from a stronger base of knowledge now hopefully!
    >
    > I have (again) an unknown IP address being accessed from inside our
    > LAN serving up a significant amount of data.
    >
    > This time, the IP is:
    >
    > 210.55.204.214
    >
    > If I do a search on that IP in Domain Dossier
    > (http://centralops.net/co/DomainDossier.aspx) I get the following
    > extract:
    >
    > HTTP/1.0 400 Bad Request
    > Server: AkamaiGHost
    > Mime-Version: 1.0
    > Content-Type: text/html
    > Content-Length: 187
    > Expires: Thu, 06 Apr 2006 21:46:18 GMT
    > Date: Thu, 06 Apr 2006 21:46:18 GMT
    > Connection: close
    >
    > Specifically, we see that 'AkamaiGHost' server again.
    >
    > From what I was told last time, this *could* be a server used by
    > Microsoft to distribute updates etc.
    >
    > However, my ISA 2004 server also shows traffic to the following
    > servers
    > in the same log:
    >
    > download.microsoft.com
    > office.microsoft.com
    > www.download.windowsupdate.com
    > update.microsoft.com
    > au.download.windowsupdate.com
    >
    > Therefore, I am now having concers that the IP address above is *not*
    > a windows / office update site of some sort since they appear in my
    > logs with their canonical names, not just an IP address.
    >
    >
    > Am I being too paranoid here? If not, and I block access to the IP
    > address totally, could that have a negative impact on our machines in
    > terms of failing to get windows updates (or worse, not even being
    > aware that there are updates available that they cannot get)?
    >
    > Could it be some other form of updates (Symantec virus definitions for
    > example)? If so, how can I tell for sure?
    >
    > I don't want to to block access to the site and find that it has
    > silently stuffed up something important that I don't find out about
    > for a few weeks.
    >

    As you were told when you asked before, Akamai is a caching service used
    by Microsoft among others. It is NOT a Microsoft distribution server. It
    is a caching service. It is almost certainly benign. In the very very
    early days these server were used as anonymous relays, but those days
    are LOOONG past.

    It is a caching service, subscribed to by a number of big content
    suppliers, not just Microsoft. The NZ Akamai servers are hosted by Xtra
    I believe.

    Yes you are being paranoid.

    Cheers,

    Cliff
    Enkidu, Apr 7, 2006
    #8
  9. Alan

    Enkidu Guest

    Re: Unknown IP addresses in my firewall logs (outgoing initiatedweb traffic)

    Alan wrote:
    > "EMB" <> wrote in message
    > news:e14jqg$7d6$...
    >
    >> Alan wrote:
    >>
    >>> Hi All,
    >>>
    >>> This is a follow up on an issue I posted on a while back:

    >>
    >> Google and learn about how akamai works - then you'll understand
    >> wtf is going on.
    >>

    >
    > I did that already, but I cannot see how I can tell what is being
    > mirrored from a given IP at a given point in time.
    >

    That's the nature of a cache. You don't know what's in it, but you know
    that it has been accessed frequently in the recent past. You just know
    that if you need to access something that happens to be cached, you will
    get it quickly and locally instead of having to drag it in from offshore.

    Cheers,

    Cliff
    Enkidu, Apr 7, 2006
    #9
  10. Alan

    Don Hills Guest

    Re: Unknown IP addresses in my firewall logs (outgoing initiated

    In article <44362802$>,
    Enkidu <> wrote:
    >>

    >That's the nature of a cache. You don't know what's in it, but you know
    >that it has been accessed frequently in the recent past. You just know
    >that if you need to access something that happens to be cached, you will
    >get it quickly and locally instead of having to drag it in from offshore.


    Interesting point: For pages that originate overseas but are cached locally,
    do ISPs charge their overseas bandwidth rate instead of their local rate? I
    suspect many charge the overseas rate, pay Akamai's fee and pocket the rest.

    --
    Don Hills (dmhills at attglobaldotnet) Wellington, New Zealand
    "New interface closely resembles Presentation Manager,
    preparing you for the wonders of OS/2!"
    -- Advertisement on the box for Microsoft Windows 2.11 for 286
    Don Hills, Apr 8, 2006
    #10
  11. Re: Unknown IP addresses in my firewall logs (outgoing initiated

    On Sat, 08 Apr 2006 16:16:32 +1200, Don Hills wrote:

    > Interesting point: For pages that originate overseas but are cached locally,
    > do ISPs charge their overseas bandwidth rate instead of their local rate? I
    > suspect many charge the overseas rate, pay Akamai's fee and pocket the rest.


    Why should the ISP pay a fee to Akamai? Surely the fee should be paid by
    the person who set up the cache.


    Have A Nice Cup of Tea

    --
    Martin Taylor, GM of platform strategy at Microsoft: "We found
    that the Linux environment provided about 15 percent more end
    user loss of productivity." - *provided MORE loss of productivity*
    Have A Nice Cup of Tea, Apr 8, 2006
    #11
  12. Alan

    Enkidu Guest

    Re: Unknown IP addresses in my firewall logs (outgoing initiated

    Have A Nice Cup of Tea wrote:
    > On Sat, 08 Apr 2006 16:16:32 +1200, Don Hills wrote:
    >
    >
    >>Interesting point: For pages that originate overseas but are cached locally,
    >>do ISPs charge their overseas bandwidth rate instead of their local rate? I
    >>suspect many charge the overseas rate, pay Akamai's fee and pocket the rest.

    >
    >
    > Why should the ISP pay a fee to Akamai? Surely the fee should be paid by
    > the person who set up the cache.
    >

    They are not generalized caches. They are specific caches for pages for
    specific clients. If a web page takes more than a few seconds to load
    people will click on to somewhere else. It makes sense to have your
    precious pages cached locally for local users so that they don't click
    on to somewhere else. So the web site owners pay Akamai.

    What Don was getting at was that the pages requested are for an overseas
    site. As far as the ISP is concerned it is overseas traffic and they
    probably charge the overseas charges. I don't believe that they pay
    Akamai directly.

    Cheers,

    Cliff
    Enkidu, Apr 8, 2006
    #12
  13. Re: Unknown IP addresses in my firewall logs (outgoing initiated

    On Sat, 08 Apr 2006 20:41:54 +1200, Enkidu wrote:

    > What Don was getting at was that the pages requested are for an overseas
    > site. As far as the ISP is concerned it is overseas traffic and they
    > probably charge the overseas charges. I don't believe that they pay
    > Akamai directly.


    But aren't most of the ISPs eliminating the local/foreign difference in
    price?

    BTW, of what use would a 200mB data cap be to you? That's Telecom's "entry
    level" broadband offer.

    I could chew through more data than that in one week using dialup let
    alone in a month using a so-called high-speed service.

    And it looks like I'll be downloading another DVD ISO image (SuSE 10.1) in
    the next week or two, and *that* is just a wee bit more than 200mB.


    Have A Nice Cup of Tea

    --
    Martin Taylor, GM of platform strategy at Microsoft: "We found
    that the Linux environment provided about 15 percent more end
    user loss of productivity." - *provided MORE loss of productivity*
    Have A Nice Cup of Tea, Apr 8, 2006
    #13
  14. Alan

    Alan Guest

    "Have A Nice Cup of Tea" <> wrote in message
    news:p...
    > On Fri, 07 Apr 2006 10:01:10 +1200, Alan wrote:
    >
    >> I don't want to to block access to the site and find that it has
    >> silently stuffed up something important that I don't find out about
    >> for a few weeks.

    >
    > LOL
    >
    > For what could it be *important* that you don't already know about?
    >
    >
    > Have A Nice Cup of Tea
    >
    > --
    > Martin Taylor, GM of platform strategy at Microsoft: "We found
    > that the Linux environment provided about 15 percent more end
    > user loss of productivity." - *provided MORE loss of productivity*
    >


    This was the example:

    >
    > Could it be some other form of updates (Symantec virus definitions
    > for
    > example)? If so, how can I tell for sure?
    >


    Do you know how to tell?

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Apr 10, 2006
    #14
  15. Alan

    Alan Guest

    "Enkidu" <> wrote in message
    news:44362727$...
    > Alan wrote:
    >> Hi All,
    >>
    >> This is a follow up on an issue I posted on a while back:
    >>
    >> http://groups.google.co.nz/group/nz...vb tracing&rnum=1&hl=en&#doc_6a3ee16bd7e417bc
    >>
    >> I still don't fully understand, so I am looking for a little more
    >> education albeit from a stronger base of knowledge now hopefully!
    >>
    >> I have (again) an unknown IP address being accessed from inside our
    >> LAN serving up a significant amount of data.
    >>
    >> This time, the IP is:
    >>
    >> 210.55.204.214
    >>
    >> If I do a search on that IP in Domain Dossier
    >> (http://centralops.net/co/DomainDossier.aspx) I get the following
    >> extract:
    >>
    >> HTTP/1.0 400 Bad Request
    >> Server: AkamaiGHost
    >> Mime-Version: 1.0
    >> Content-Type: text/html
    >> Content-Length: 187
    >> Expires: Thu, 06 Apr 2006 21:46:18 GMT
    >> Date: Thu, 06 Apr 2006 21:46:18 GMT
    >> Connection: close
    >>
    >> Specifically, we see that 'AkamaiGHost' server again.
    >>
    >> From what I was told last time, this *could* be a server used by
    >> Microsoft to distribute updates etc.
    >>
    >> However, my ISA 2004 server also shows traffic to the following
    >> servers
    >> in the same log:
    >>
    >> download.microsoft.com
    >> office.microsoft.com
    >> www.download.windowsupdate.com
    >> update.microsoft.com
    >> au.download.windowsupdate.com
    >>
    >> Therefore, I am now having concers that the IP address above is
    >> *not*
    >> a windows / office update site of some sort since they appear in my
    >> logs with their canonical names, not just an IP address.
    >>
    >>
    >> Am I being too paranoid here? If not, and I block access to the IP
    >> address totally, could that have a negative impact on our machines
    >> in
    >> terms of failing to get windows updates (or worse, not even being
    >> aware that there are updates available that they cannot get)?
    >>
    >> Could it be some other form of updates (Symantec virus definitions
    >> for example)? If so, how can I tell for sure?
    >>
    >> I don't want to to block access to the site and find that it has
    >> silently stuffed up something important that I don't find out about
    >> for a few weeks.
    >>

    > As you were told when you asked before, Akamai is a caching service
    > used by Microsoft among others. It is NOT a Microsoft distribution
    > server. It is a caching service. It is almost certainly benign. In
    > the very very early days these server were used as anonymous relays,
    > but those days are LOOONG past.
    >
    > It is a caching service, subscribed to by a number of big content
    > suppliers, not just Microsoft. The NZ Akamai servers are hosted by
    > Xtra I believe.
    >
    > Yes you are being paranoid.
    >
    > Cheers,
    >
    > Cliff



    Hi Cliff,

    Thanks for your answer.

    How do I know that the servers aren't caching, say, music or video
    downloads though?

    We block access to known sources of such files to avoid blowing
    through our monthly data cap, but if the downloads are coming from
    Akami servers, those blocks would be circumvented?

    Thanks again for your explanations.

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Apr 10, 2006
    #15
  16. Re: Unknown IP addresses in my firewall logs (outgoing initiatedweb traffic)

    Alan wrote:
    > "Have A Nice Cup of Tea" <> wrote in message
    > news:p...
    >> On Fri, 07 Apr 2006 10:01:10 +1200, Alan wrote:
    >>> I don't want to to block access to the site and find that it has
    >>> silently stuffed up something important that I don't find out about
    >>> for a few weeks.

    >> For what could it be *important* that you don't already know about?

    > This was the example:
    >> Could it be some other form of updates (Symantec virus definitions
    >> for
    >> example)? If so, how can I tell for sure?

    >
    > Do you know how to tell?


    You could try blocking it to see whether anything dies noisily. If nothing dies
    noisily there's a good chance that you don't want it anyway. Beyond that try
    capturing and examining the traffic.
    Mark Robinson, Apr 10, 2006
    #16
  17. Alan

    Enkidu Guest

    Re: Unknown IP addresses in my firewall logs (outgoing initiatedweb traffic)

    Alan wrote:
    > "Enkidu" <> wrote in message
    > news:44362727$...
    >
    >>Alan wrote:
    >>
    >>>Hi All,
    >>>
    >>>This is a follow up on an issue I posted on a while back:
    >>>
    >>>http://groups.google.co.nz/group/nz...vb tracing&rnum=1&hl=en&#doc_6a3ee16bd7e417bc
    >>>
    >>>I still don't fully understand, so I am looking for a little more
    >>>education albeit from a stronger base of knowledge now hopefully!
    >>>
    >>>I have (again) an unknown IP address being accessed from inside our
    >>>LAN serving up a significant amount of data.
    >>>
    >>>This time, the IP is:
    >>>
    >>>210.55.204.214
    >>>
    >>>If I do a search on that IP in Domain Dossier
    >>>(http://centralops.net/co/DomainDossier.aspx) I get the following
    >>>extract:
    >>>
    >>>HTTP/1.0 400 Bad Request
    >>>Server: AkamaiGHost
    >>>Mime-Version: 1.0
    >>>Content-Type: text/html
    >>>Content-Length: 187
    >>>Expires: Thu, 06 Apr 2006 21:46:18 GMT
    >>>Date: Thu, 06 Apr 2006 21:46:18 GMT
    >>>Connection: close
    >>>
    >>>Specifically, we see that 'AkamaiGHost' server again.
    >>>
    >>>From what I was told last time, this *could* be a server used by
    >>>Microsoft to distribute updates etc.
    >>>
    >>>However, my ISA 2004 server also shows traffic to the following
    >>>servers
    >>>in the same log:
    >>>
    >>>download.microsoft.com
    >>>office.microsoft.com
    >>>www.download.windowsupdate.com
    >>>update.microsoft.com
    >>>au.download.windowsupdate.com
    >>>
    >>>Therefore, I am now having concers that the IP address above is
    >>>*not*
    >>>a windows / office update site of some sort since they appear in my
    >>>logs with their canonical names, not just an IP address.
    >>>
    >>>
    >>>Am I being too paranoid here? If not, and I block access to the IP
    >>>address totally, could that have a negative impact on our machines
    >>>in
    >>>terms of failing to get windows updates (or worse, not even being
    >>>aware that there are updates available that they cannot get)?
    >>>
    >>>Could it be some other form of updates (Symantec virus definitions
    >>>for example)? If so, how can I tell for sure?
    >>>
    >>>I don't want to to block access to the site and find that it has
    >>>silently stuffed up something important that I don't find out about
    >>>for a few weeks.
    >>>

    >>
    >>As you were told when you asked before, Akamai is a caching service
    >>used by Microsoft among others. It is NOT a Microsoft distribution
    >>server. It is a caching service. It is almost certainly benign. In
    >>the very very early days these server were used as anonymous relays,
    >>but those days are LOOONG past.
    >>
    >>It is a caching service, subscribed to by a number of big content
    >>suppliers, not just Microsoft. The NZ Akamai servers are hosted by
    >>Xtra I believe.
    >>
    >>Yes you are being paranoid.
    >>

    >
    > Thanks for your answer.
    >
    > How do I know that the servers aren't caching, say, music or video
    > downloads though?
    >

    No you can't tell, just from the IP addresses tell what it is that they
    are caching.
    >
    > We block access to known sources of such files to avoid blowing
    > through our monthly data cap, but if the downloads are coming from
    > Akami servers, those blocks would be circumvented?
    >

    I can think of several ways of bypassing blocking the sources of music
    video and other big files. And Akamai is not so much a way of bypassing
    such blocks as a DNS 'smoke and mirrors' to improve download speeds for
    sites that subscribe. They are unlikely to be filesharing type sites.
    They are more likely to be eg Microsoft and as someone mentioned, maybe
    Symantec. Big players. I'd say to not bother. Or as others have
    suggested - try it.

    The way to prevent downloads of unwanted files is to publish a policy
    that such downloads are not allowed, and run a program to scan the hard
    drives for illegal files and delete them and warn the downloader!

    People will always find their way around blocks. Downloading large files
    is a people problem and therefore not properly solved by technology.

    Of course, that's just my opinion!

    Cheers,

    Cliff
    Enkidu, Apr 10, 2006
    #17
  18. Alan

    Alan Guest

    "Enkidu" <> wrote in message
    news:443a32e9$...
    > Alan wrote:
    >> "Enkidu" <> wrote in message
    >> news:44362727$...
    >>
    >>>Alan wrote:
    >>>
    >>>>Hi All,
    >>>>
    >>>>This is a follow up on an issue I posted on a while back:
    >>>>
    >>>>http://groups.google.co.nz/group/nz...vb tracing&rnum=1&hl=en&#doc_6a3ee16bd7e417bc
    >>>>
    >>>>I still don't fully understand, so I am looking for a little more
    >>>>education albeit from a stronger base of knowledge now hopefully!
    >>>>
    >>>>I have (again) an unknown IP address being accessed from inside
    >>>>our
    >>>>LAN serving up a significant amount of data.
    >>>>
    >>>>This time, the IP is:
    >>>>
    >>>>210.55.204.214
    >>>>
    >>>>If I do a search on that IP in Domain Dossier
    >>>>(http://centralops.net/co/DomainDossier.aspx) I get the following
    >>>>extract:
    >>>>
    >>>>HTTP/1.0 400 Bad Request
    >>>>Server: AkamaiGHost
    >>>>Mime-Version: 1.0
    >>>>Content-Type: text/html
    >>>>Content-Length: 187
    >>>>Expires: Thu, 06 Apr 2006 21:46:18 GMT
    >>>>Date: Thu, 06 Apr 2006 21:46:18 GMT
    >>>>Connection: close
    >>>>
    >>>>Specifically, we see that 'AkamaiGHost' server again.
    >>>>
    >>>>From what I was told last time, this *could* be a server used by
    >>>>Microsoft to distribute updates etc.
    >>>>
    >>>>However, my ISA 2004 server also shows traffic to the following
    >>>>servers
    >>>>in the same log:
    >>>>
    >>>>download.microsoft.com
    >>>>office.microsoft.com
    >>>>www.download.windowsupdate.com
    >>>>update.microsoft.com
    >>>>au.download.windowsupdate.com
    >>>>
    >>>>Therefore, I am now having concers that the IP address above is
    >>>>*not*
    >>>>a windows / office update site of some sort since they appear in
    >>>>my
    >>>>logs with their canonical names, not just an IP address.
    >>>>
    >>>>
    >>>>Am I being too paranoid here? If not, and I block access to the
    >>>>IP
    >>>>address totally, could that have a negative impact on our machines
    >>>>in
    >>>>terms of failing to get windows updates (or worse, not even being
    >>>>aware that there are updates available that they cannot get)?
    >>>>
    >>>>Could it be some other form of updates (Symantec virus definitions
    >>>>for example)? If so, how can I tell for sure?
    >>>>
    >>>>I don't want to to block access to the site and find that it has
    >>>>silently stuffed up something important that I don't find out
    >>>>about for a few weeks.
    >>>>
    >>>
    >>>As you were told when you asked before, Akamai is a caching service
    >>>used by Microsoft among others. It is NOT a Microsoft distribution
    >>>server. It is a caching service. It is almost certainly benign. In
    >>>the very very early days these server were used as anonymous
    >>>relays, but those days are LOOONG past.
    >>>
    >>>It is a caching service, subscribed to by a number of big content
    >>>suppliers, not just Microsoft. The NZ Akamai servers are hosted by
    >>>Xtra I believe.
    >>>
    >>>Yes you are being paranoid.
    >>>

    >>
    >> Thanks for your answer.
    >>
    >> How do I know that the servers aren't caching, say, music or video
    >> downloads though?
    >>

    > No you can't tell, just from the IP addresses tell what it is that
    > they are caching.
    > >
    >> We block access to known sources of such files to avoid blowing
    >> through our monthly data cap, but if the downloads are coming from
    >> Akami servers, those blocks would be circumvented?
    >>

    > I can think of several ways of bypassing blocking the sources of
    > music video and other big files. And Akamai is not so much a way of
    > bypassing such blocks as a DNS 'smoke and mirrors' to improve
    > download speeds for sites that subscribe. They are unlikely to be
    > filesharing type sites. They are more likely to be eg Microsoft and
    > as someone mentioned, maybe Symantec. Big players. I'd say to not
    > bother. Or as others have suggested - try it.
    >
    > The way to prevent downloads of unwanted files is to publish a
    > policy that such downloads are not allowed, and run a program to
    > scan the hard drives for illegal files and delete them and warn the
    > downloader!
    >
    > People will always find their way around blocks. Downloading large
    > files is a people problem and therefore not properly solved by
    > technology.
    >
    > Of course, that's just my opinion!
    >
    > Cheers,
    >
    > Cliff


    Hi Cliff,

    I totally agree and we do do that.

    However, if someone ignores or 'accidentally' downloads something big
    like a video file, our data cap is still blown even though we may have
    educated and / or disciplined the offender. Therefore, we have a
    primary control in place (policy and education), and a secondary
    control (block known / common sites).

    Deliberate bypassing of the secondary control also means that we have
    a strong case for disciplinary action if that occurs.

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Apr 11, 2006
    #18
  19. Alan

    Alan Guest

    "Mark Robinson" <2tod.net> wrote in message
    news:2tod.net...
    > Alan wrote:
    >> "Have A Nice Cup of Tea" <> wrote in message
    >> news:p...
    >>> On Fri, 07 Apr 2006 10:01:10 +1200, Alan wrote:
    >>>> I don't want to to block access to the site and find that it has
    >>>> silently stuffed up something important that I don't find out
    >>>> about
    >>>> for a few weeks.
    >>> For what could it be *important* that you don't already know
    >>> about?

    >> This was the example:
    >>> Could it be some other form of updates (Symantec virus definitions
    >>> for
    >>> example)? If so, how can I tell for sure?

    >>
    >> Do you know how to tell?

    >
    > You could try blocking it to see whether anything dies noisily. If
    > nothing dies noisily there's a good chance that you don't want it
    > anyway. Beyond that try capturing and examining the traffic.



    Thanks Mark - I will probably do that and watch the most important
    apps to see if they have issues (Symantec in particular).

    Regards,

    Alan.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
    Alan, Apr 11, 2006
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian Ipsen
    Replies:
    10
    Views:
    8,796
    Brian Ipsen
    Feb 25, 2004
  2. Wehay
    Replies:
    3
    Views:
    750
    Wehay
    Mar 20, 2005
  3. awallwork at sign gmail dot com

    WinXP Home SP2 Logs on then Logs off

    awallwork at sign gmail dot com, Oct 13, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    1,906
    Andrew
    Oct 16, 2004
  4. awallwork at sign gmail dot com

    Win XP SP2 Logs in then Logs out

    awallwork at sign gmail dot com, Oct 14, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    2,297
    Andrew
    Oct 16, 2004
  5. Replies:
    14
    Views:
    1,241
    survivor
    Dec 24, 2007
Loading...

Share This Page