Lots of traffic from 220.233.2.202

Mort · Post by **Mort** » Sat Nov 15, 2014 6:26 pm

I'm currently seeing a large amount of data downloading to my computer from 220.233.2.202. This resolves in DNS as just a static Exetel address.

I'm wondering if this is actually an Exetel Akamai cache and my machine is downloading Microsoft updates or something?

Post by **NIrmitha** » Sat Nov 15, 2014 8:28 pm

Hi Mort,

I have escalated your query to our L2 Network team. (Ticket ref : 8525052).
We will update you once we receive any update from them.

Cheers !!

Post by **Dazzled** » Sat Nov 15, 2014 8:30 pm

It's Akamai. Do you read the Daily Mail?

Code: Select all

$ dig www.dailymail.co.uk

; <<>> DiG 9.4.2-P2.1 <<>> www.dailymail.co.uk
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3257
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dailymail.co.uk.		IN	A

;; ANSWER SECTION:
www.dailymail.co.uk.	2420	IN	CNAME	www.dailymail.co.uk.edgesuite.net.
www.dailymail.co.uk.edgesuite.net. 14839 IN CNAME a1613.w8.akamai.net.
a1613.w8.akamai.net.	20	IN	A	220.233.2.202
a1613.w8.akamai.net.	20	IN	A	220.233.2.200

;; Query time: 194 msec
;; SERVER: 220.233.0.4#53(220.233.0.4)
;; WHEN: Sat Nov 15 20:27:02 2014
;; MSG SIZE  rcvd: 146

or, simply:
$ host www.dailymail.co.uk
www.dailymail.co.uk is an alias for www.dailymail.co.uk.edgesuite.net.
www.dailymail.co.uk.edgesuite.net is an alias for a1613.w8.akamai.net.
a1613.w8.akamai.net has address 220.233.2.202
a1613.w8.akamai.net has address 220.233.2.200

Mort · Post by **Mort** » Sat Nov 15, 2014 10:43 pm

The dailymail? No, but that's a rather unusual leap to make isn't it? Looking at the trace you posted I'm guessing that the dailymail is also cached through the Akamai network and just has a reverse lookup matching to it as well.

Matching the download traffic against my hard drive IO it looks like it was Microsoft updates downloading. I don't normally see that as I use a local WSUS (ConfigMgr) server to deliver updates, but I'm running the Windows10 tech preview which must have been downloading the latest build version direct from MS.

I'd still like confirmation though as this is an IP that resolves as an Exetel address, so it seems odd to not have put a more descriptive entry for a network appliance rather than leaving it as the default Exetel static host entry.

Post by **Dazzled** » Sat Nov 15, 2014 10:54 pm

Reverse lookups of Akamai servers is not straightforward. A reverse DNS lookup will get you Exetel.

Host is a Linux application, but any OS can run dig or nslookup to look up the MS address. You could also connect to the IP address with MS's URL in the GET request Host field. Also try updating, and use netstat or other utility that displays the connected IP.

Exetel customer help forum

Lots of traffic from 220.233.2.202

Lots of traffic from 220.233.2.202

Re: Lots of traffic from 220.233.2.202

Re: Lots of traffic from 220.233.2.202

Re: Lots of traffic from 220.233.2.202

Re: Lots of traffic from 220.233.2.202