<solved> Identify underlying destination of content delivery IP



  • Hi,

    My firewall logs (and Suricata alerts) show countless connections to content delivery IPs, for example, Akamai, Verizon, etc. I would like to know what more about the origin of the content being delivered. For example, is it Microsoft, youtube, netflix, etc.
    Is there a way to do this with pfSense?



  • @MaxBishop said in Identify underlying destination of content delivery IP:

    Hi,

    My firewall logs (and Suricata alerts) show countless connections to content delivery IPs, for example, Akamai, Verizon, etc. I would like to know what more about the origin of the content being delivered. For example, is it Microsoft, youtube, netflix, etc.
    Is there a way to do this with pfSense?

    Your question is intriguing...are you saying that content sources are bombarding your network with free delivery and that you were not the original requester? Your Suricata alert should have both source and destination addresses. Do you set up your pfSense box as the only hardware source handling DNS request? I would surely like Netflix and others such as Apple knocking at my door with free content ONLY if I request it.



  • Hi,

    Yes, most of which is probably Windows Updates, but I can't be sure. For example, in my Suricata alerts I see:

    ET POLICY PE EXE or DLL Windows file download HTTP From:
    IP is 151.205.28.21 = MCI-Verizon
    8.253.131.120 =  Level 3 Parent, LLC
    72.21.81.240 = MCI-Verizon
    104.124.105.168 = Akamai Technologies, Inc.
    151.205.28.21 = Verizon Business
    


  • @MaxBishop
    What you need to do first, before becoming too concerned, is to look in the Suricata alerts and see what internal machine or machines are initiating that traffic. If your firewall is configured as it should be, then nothing can just "come in" from the WAN unless an internal host opened the initial connection. That's how stateful inspection firewalls operate.

    If you have Suricata on the WAN and are using NAT, then finding the internal host is going to be hard. That's why, when using NAT, you should instead run Suricata on the LAN. That way internal hosts will show in alerts with their actual IP address instead of being "NAT'd" to the WAN IP.

    Odds are you are correct and these are simply Windows clients downloading security updates. That particular set of Emerging Threats rules is not really to useful on most networks because the rules will false positive frequently. They really are more appropriate in an enterprise network when you run an internal update server such as someting like Microsoft's WSUS. In that case, if you ever had clients downloading an EXE or DLL file from the Internet, it could be potentially bad (but even then, not always bad).


Log in to reply