Unknown IP addresses in my firewall logs (outgoing initiated web traffic)

Discussion in 'NZ Computing' started by Alan, Apr 6, 2006.

  1. Alan

    Alan Guest

    Hi All,

    This is a follow up on an issue I posted on a while back:

    http://groups.google.co.nz/group/nz...vb+tracing&rnum=1&hl=en&#doc_6a3ee16bd7e417bc

    I still don't fully understand, so I am looking for a little more
    education albeit from a stronger base of knowledge now hopefully!

    I have (again) an unknown IP address being accessed from inside our
    LAN serving up a significant amount of data.

    This time, the IP is:

    210.55.204.214

    If I do a search on that IP in Domain Dossier
    (http://centralops.net/co/DomainDossier.aspx) I get the following
    extract:

    HTTP/1.0 400 Bad Request
    Server: AkamaiGHost
    Mime-Version: 1.0
    Content-Type: text/html
    Content-Length: 187
    Expires: Thu, 06 Apr 2006 21:46:18 GMT
    Date: Thu, 06 Apr 2006 21:46:18 GMT
    Connection: close

    Specifically, we see that 'AkamaiGHost' server again.

    From what I was told last time, this *could* be a server used by
    Microsoft to distribute updates etc.

    However, my ISA 2004 server also shows traffic to the following
    servers
    in the same log:

    download.microsoft.com
    office.microsoft.com
    www.download.windowsupdate.com
    update.microsoft.com
    au.download.windowsupdate.com

    Therefore, I am now having concers that the IP address above is *not*
    a windows / office update site of some sort since they appear in my
    logs with their canonical names, not just an IP address.


    Am I being too paranoid here? If not, and I block access to the IP
    address totally, could that have a negative impact on our machines in
    terms of failing to get windows updates (or worse, not even being
    aware that there are updates available that they cannot get)?

    Could it be some other form of updates (Symantec virus definitions for
    example)? If so, how can I tell for sure?

    I don't want to to block access to the site and find that it has
    silently stuffed up something important that I don't find out about
    for a few weeks.

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Apr 6, 2006
    #1
    1. Advertisements

  2. Alan

    muzz Guest

    I tried that IP (210.55.204.214) in APNIC whois
    (http://www.apnic.net/apnic-bin/whois.pl) and got:

    % [whois.apnic.net node-2]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 210.55.192.0 - 210.55.223.255
    netname: NETWAY-6
    descr: Netway Communications Ltd
    descr: 209 Queen St, Auckland
    country: NZ
    admin-c: DBK1-AP
    tech-c: TNZ1-AP
    notify:
    mnt-by: APNIC-HM
    mnt-lower: NZTELECOM
    status: ALLOCATED PORTABLE
    changed: 20020918
    changed: 20040906
    changed: 20041123
    changed: 20041214
    source: APNIC

    role: Telecom New ZealandIPRegistry
    address: Telecom New Zealand IP Registry
    address: 31 Airedale Street,
    address: Auckland
    country: NZ
    phone: +64-9-363-5861
    fax-no: +64-9-379-4790
    e-mail:
    trouble:
    admin-c: DBK1-AP
    tech-c: BS3-AP
    nic-hdl: TNZ1-AP
    mnt-by: NZTELECOM
    notify:
    changed: 20031023
    changed: 20041122
    source: APNIC

    person: Don Kendrick
    address: Telecom NZ
    address: 31 Airedale
    address: Auckland
    country: NZ
    phone: +64-9-363-5861
    fax-no: +64-9-379-4790
    e-mail:
    nic-hdl: DBK1-AP
    mnt-by: NZTELECOM
    changed: 20020702
    source: APNIC
     
    muzz, Apr 7, 2006
    #2
    1. Advertisements

  3. Alan

    EMB Guest

    Google and learn about how akamai works - then you'll understand wtf is
    going on.
     
    EMB, Apr 7, 2006
    #3
  4. Alan

    Alan Guest

    {Snip}

    Yup - but what does that mean in the context of my query as to actions
    to take or not?

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Apr 7, 2006
    #4
  5. Alan

    Alan Guest


    Hi EMB,

    I did that already, but I cannot see how I can tell what is being
    mirrored from a given IP at a given point in time.

    Nothing I could find helps in terms of the decision I need to make, it
    all just appears to be about Akami and what they do which is very
    interesting but irrelavent to the question at hand.

    Are you able to shed any light on the actual problem of whether to
    block a given IP and what the implications might be?

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Apr 7, 2006
    #5
  6. LOL

    For what could it be *important* that you don't already know about?


    Have A Nice Cup of Tea
     
    Have A Nice Cup of Tea, Apr 7, 2006
    #6
  7. Alan

    EMB Guest

    All manner of large software vendors use the Akamai servers for
    distribution of updates. I'm unsure as to whether blocking this
    particular IP address would break that process or merely cause the
    Akamai process to re-route your downloads to another server. Either way
    the result won't solve your problems.
     
    EMB, Apr 7, 2006
    #7
  8. Alan

    Enkidu Guest

    As you were told when you asked before, Akamai is a caching service used
    by Microsoft among others. It is NOT a Microsoft distribution server. It
    is a caching service. It is almost certainly benign. In the very very
    early days these server were used as anonymous relays, but those days
    are LOOONG past.

    It is a caching service, subscribed to by a number of big content
    suppliers, not just Microsoft. The NZ Akamai servers are hosted by Xtra
    I believe.

    Yes you are being paranoid.

    Cheers,

    Cliff
     
    Enkidu, Apr 7, 2006
    #8
  9. Alan

    Enkidu Guest

    That's the nature of a cache. You don't know what's in it, but you know
    that it has been accessed frequently in the recent past. You just know
    that if you need to access something that happens to be cached, you will
    get it quickly and locally instead of having to drag it in from offshore.

    Cheers,

    Cliff
     
    Enkidu, Apr 7, 2006
    #9
  10. Alan

    Don Hills Guest

    Interesting point: For pages that originate overseas but are cached locally,
    do ISPs charge their overseas bandwidth rate instead of their local rate? I
    suspect many charge the overseas rate, pay Akamai's fee and pocket the rest.
     
    Don Hills, Apr 8, 2006
    #10
  11. Why should the ISP pay a fee to Akamai? Surely the fee should be paid by
    the person who set up the cache.


    Have A Nice Cup of Tea
     
    Have A Nice Cup of Tea, Apr 8, 2006
    #11
  12. Alan

    Enkidu Guest

    They are not generalized caches. They are specific caches for pages for
    specific clients. If a web page takes more than a few seconds to load
    people will click on to somewhere else. It makes sense to have your
    precious pages cached locally for local users so that they don't click
    on to somewhere else. So the web site owners pay Akamai.

    What Don was getting at was that the pages requested are for an overseas
    site. As far as the ISP is concerned it is overseas traffic and they
    probably charge the overseas charges. I don't believe that they pay
    Akamai directly.

    Cheers,

    Cliff
     
    Enkidu, Apr 8, 2006
    #12
  13. But aren't most of the ISPs eliminating the local/foreign difference in
    price?

    BTW, of what use would a 200mB data cap be to you? That's Telecom's "entry
    level" broadband offer.

    I could chew through more data than that in one week using dialup let
    alone in a month using a so-called high-speed service.

    And it looks like I'll be downloading another DVD ISO image (SuSE 10.1) in
    the next week or two, and *that* is just a wee bit more than 200mB.


    Have A Nice Cup of Tea
     
    Have A Nice Cup of Tea, Apr 8, 2006
    #13
  14. Alan

    Alan Guest

    This was the example:
    Do you know how to tell?

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Apr 10, 2006
    #14
  15. Alan

    Alan Guest


    Hi Cliff,

    Thanks for your answer.

    How do I know that the servers aren't caching, say, music or video
    downloads though?

    We block access to known sources of such files to avoid blowing
    through our monthly data cap, but if the downloads are coming from
    Akami servers, those blocks would be circumvented?

    Thanks again for your explanations.

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Apr 10, 2006
    #15
  16. You could try blocking it to see whether anything dies noisily. If nothing dies
    noisily there's a good chance that you don't want it anyway. Beyond that try
    capturing and examining the traffic.
     
    Mark Robinson, Apr 10, 2006
    #16
  17. Alan

    Enkidu Guest

    No you can't tell, just from the IP addresses tell what it is that they
    are caching.
    I can think of several ways of bypassing blocking the sources of music
    video and other big files. And Akamai is not so much a way of bypassing
    such blocks as a DNS 'smoke and mirrors' to improve download speeds for
    sites that subscribe. They are unlikely to be filesharing type sites.
    They are more likely to be eg Microsoft and as someone mentioned, maybe
    Symantec. Big players. I'd say to not bother. Or as others have
    suggested - try it.

    The way to prevent downloads of unwanted files is to publish a policy
    that such downloads are not allowed, and run a program to scan the hard
    drives for illegal files and delete them and warn the downloader!

    People will always find their way around blocks. Downloading large files
    is a people problem and therefore not properly solved by technology.

    Of course, that's just my opinion!

    Cheers,

    Cliff
     
    Enkidu, Apr 10, 2006
    #17
  18. Alan

    Alan Guest

    Hi Cliff,

    I totally agree and we do do that.

    However, if someone ignores or 'accidentally' downloads something big
    like a video file, our data cap is still blown even though we may have
    educated and / or disciplined the offender. Therefore, we have a
    primary control in place (policy and education), and a secondary
    control (block known / common sites).

    Deliberate bypassing of the secondary control also means that we have
    a strong case for disciplinary action if that occurs.

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Apr 11, 2006
    #18
  19. Alan

    Alan Guest


    Thanks Mark - I will probably do that and watch the most important
    apps to see if they have issues (Symantec in particular).

    Regards,

    Alan.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Apr 11, 2006
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.