Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    <solved> Identify underlying destination of content delivery IP

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 630 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MaxBishop
      last edited by MaxBishop

      Hi,

      My firewall logs (and Suricata alerts) show countless connections to content delivery IPs, for example, Akamai, Verizon, etc. I would like to know what more about the origin of the content being delivered. For example, is it Microsoft, youtube, netflix, etc.
      Is there a way to do this with pfSense?

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @MaxBishop
        last edited by

        @MaxBishop said in Identify underlying destination of content delivery IP:

        Hi,

        My firewall logs (and Suricata alerts) show countless connections to content delivery IPs, for example, Akamai, Verizon, etc. I would like to know what more about the origin of the content being delivered. For example, is it Microsoft, youtube, netflix, etc.
        Is there a way to do this with pfSense?

        Your question is intriguing...are you saying that content sources are bombarding your network with free delivery and that you were not the original requester? Your Suricata alert should have both source and destination addresses. Do you set up your pfSense box as the only hardware source handling DNS request? I would surely like Netflix and others such as Apple knocking at my door with free content ONLY if I request it.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • M
          MaxBishop
          last edited by MaxBishop

          Hi,

          Yes, most of which is probably Windows Updates, but I can't be sure. For example, in my Suricata alerts I see:

          ET POLICY PE EXE or DLL Windows file download HTTP From:
          IP is 151.205.28.21 = MCI-Verizon
          8.253.131.120 =  Level 3 Parent, LLC
          72.21.81.240 = MCI-Verizon
          104.124.105.168 = Akamai Technologies, Inc.
          151.205.28.21 = Verizon Business
          
          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @MaxBishop
            last edited by bmeeks

            @MaxBishop
            What you need to do first, before becoming too concerned, is to look in the Suricata alerts and see what internal machine or machines are initiating that traffic. If your firewall is configured as it should be, then nothing can just "come in" from the WAN unless an internal host opened the initial connection. That's how stateful inspection firewalls operate.

            If you have Suricata on the WAN and are using NAT, then finding the internal host is going to be hard. That's why, when using NAT, you should instead run Suricata on the LAN. That way internal hosts will show in alerts with their actual IP address instead of being "NAT'd" to the WAN IP.

            Odds are you are correct and these are simply Windows clients downloading security updates. That particular set of Emerging Threats rules is not really to useful on most networks because the rules will false positive frequently. They really are more appropriate in an enterprise network when you run an internal update server such as someting like Microsoft's WSUS. In that case, if you ever had clients downloading an EXE or DLL file from the Internet, it could be potentially bad (but even then, not always bad).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.